Dear All:
Due to popular demand I've put the newest version of the Code Red detector
on one of my servers in public, anonymous FTP.  The URL is
<> .  After some research (annotated in
the propaganda), I added the last 10 or so lines of code late yesterday to
do the following:
1.  Ascertain if this is a browser poking around or is it a true attack?
Apparently the worm doesn't send a User-Agent header.
2.  If there's no user agent, it's most likely that the attack is coming
from IIS directly.  If this is the case, cause a browser to pop up on the
infected machine's console advising the admin that the attack has been
detected and reported.
3.  If User-Agent has a value in it, then the supposed attack is coming from
a browser.  Redirect that browser to the "anticodered.html" page.  
There are two items in the codered FTP folder:  codered.php which must be
put in your default web server's top directory.  Remember, the worm isn't
sending Host headers, either, so if you're using virtual name hosting on
Apache, ONLY the default server will be hit.  You must also rename this file
to "default.ida" and do remember to make the AddType directive change in
Apache.  This is also annotated at the top of codered.php.
The second item is the body of the anti-Code Red html page.  There's no head
or body section in that HTML codelet, which will allow you to cut-and-paste
it directly into your template to keep your site's look and feel.  Name it
what you will, but make sure that the configuration at the top of
default.ida matches.
Any improvements or suggestions will be welcome.  I'm still logging over 100
attempts per day and it doesn't seem to be slowing down any at all.  I'd
love to hear about your results and possibly some better techniques for the
free-text parsing bit in the middle that finds the ISP from one of the major
I realise that this appears kinda hasty.  I didn't expect such a heavy or
fast response.  I really appreciate all of your help in getting me on my
feet in PHP.  The transition from ASP to PHP was much easier due to the warm
support and education from all of you on the list.

Bill Farrell
Web Implementer <> 


Reply via email to