RE: Total Fix For Code Red
With the above facts in place wouldn't be possible to, on your server (i.e. the thing that's being attacked) :- a) add an association for .ida to point to the coldfusion engine. b) create a default.ida in which one captures the remote address of the system trying to do the exploit. c) having grabbed the address do a cfhttp back to that address using the backdoor created in code red V3 to disable ( or maybe fix ) that system. I was going to attach the code to do it but.. Or is this totally unethical - love to hear your thoughts I think that it would be wrong to compromise someone else's system, even for ostensibly good goals. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Total Fix For Code Red
Instead on cfhttp do a net send xxx.xxx.xxx.xxx Your machine is infected with code red. Rich -Original Message- From: Dave Watts [mailto:[EMAIL PROTECTED]] Sent: Monday, August 13, 2001 11:15 AM To: CF-Talk Subject: RE: Total Fix For Code Red With the above facts in place wouldn't be possible to, on your server (i.e. the thing that's being attacked) :- a) add an association for .ida to point to the coldfusion engine. b) create a default.ida in which one captures the remote address of the system trying to do the exploit. c) having grabbed the address do a cfhttp back to that address using the backdoor created in code red V3 to disable ( or maybe fix ) that system. I was going to attach the code to do it but.. Or is this totally unethical - love to hear your thoughts I think that it would be wrong to compromise someone else's system, even for ostensibly good goals. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Total Fix For Code Red
Or is this totally unethical - love to hear your thoughts I think that it would be wrong to compromise someone else's system, even for ostensibly good goals. Agreed, but what would be the harm of generating an email to webmaster@..., admin@, and support@... with a link to the patch and instructions on how to install it... Instead of doing it for someone, tell them how to do it. Then you might also put a link in said email to a template on your server that would perform the correction on their system (assuming that it is possible to do that). That way you *know* they approve. Hatton Humphrey ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Total Fix For Code Red
What person in their right mind would click a link they got from an email telling them their server is compromised? Remember, I said right mind. Think of all the malicious attacks that could be propagated in this way. -Original Message- From: C. Hatton Humphrey [mailto:[EMAIL PROTECTED]] Sent: Monday, August 13, 2001 11:26 AM To: CF-Talk Subject: RE: Total Fix For Code Red Or is this totally unethical - love to hear your thoughts I think that it would be wrong to compromise someone else's system, even for ostensibly good goals. Agreed, but what would be the harm of generating an email to webmaster@..., admin@, and support@... with a link to the patch and instructions on how to install it... Instead of doing it for someone, tell them how to do it. Then you might also put a link in said email to a template on your server that would perform the correction on their system (assuming that it is possible to do that). That way you *know* they approve. Hatton Humphrey ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Total Fix For Code Red
Or is this totally unethical - love to hear your thoughts I think that it would be wrong to compromise someone else's system, even for ostensibly good goals. Agreed, but what would be the harm of generating an email to webmaster@..., admin@, and support@... with a link to the patch and instructions on how to install it... Instead of doing it for someone, tell them how to do it. Then you might also put a link in said email to a template on your server that would perform the correction on their system (assuming that it is possible to do that). That way you *know* they approve. There would be no harm in notifying someone that his computer has been compromised; in fact, I know quite a few people who are doing that. I'd be reluctant to build something that could do the installation itself, though - that's asking for trouble. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Total Fix For Code Red
Again, I agree... the question was not, would people do this. That's why I suggested including a link to the official download of the patch (maybe I left out the word official there, so I apologies). The latter suggestion, a link to an automatic fix, was added in as an afterthought since the original question included fixing the problem for the attacker. Hatton -Original Message- From: Andrew Tyrone [mailto:[EMAIL PROTECTED]] Sent: Monday, August 13, 2001 11:27 AM To: CF-Talk Subject: RE: Total Fix For Code Red What person in their right mind would click a link they got from an email telling them their server is compromised? Remember, I said right mind. Think of all the malicious attacks that could be propagated in this way. -Original Message- From: C. Hatton Humphrey [mailto:[EMAIL PROTECTED]] Sent: Monday, August 13, 2001 11:26 AM To: CF-Talk Subject: RE: Total Fix For Code Red Or is this totally unethical - love to hear your thoughts I think that it would be wrong to compromise someone else's system, even for ostensibly good goals. Agreed, but what would be the harm of generating an email to webmaster@..., admin@, and support@... with a link to the patch and instructions on how to install it... Instead of doing it for someone, tell them how to do it. Then you might also put a link in said email to a template on your server that would perform the correction on their system (assuming that it is possible to do that). That way you *know* they approve. Hatton Humphrey ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Total Fix For Code Red
As Server admin: I would agree with Dave. If someone installed an upgrade on my server with out my blessing, I would be very irate. Plus, I would have no proof of what else they installed on the server. Back door?? User account? I would regard this as a virus and the author deserving the same as the original as the code red worm. As an everyday Web dude: Interesting idea. Fight a worm with a worm. Maybe a foreshadowing of the future? Every virus/worm should have a worm-cure that lives on line. Summery: Good idea but, I would avoid writing anything of the type even with the best intentions. Mark W. Breneman -Cold Fusion Developer -Network Administrator Vivid Media [EMAIL PROTECTED] www.vividmedia.com 608.270.9770 -Original Message- From: Dave Watts [mailto:[EMAIL PROTECTED]] Sent: Monday, August 13, 2001 10:37 AM To: CF-Talk Subject: RE: Total Fix For Code Red Or is this totally unethical - love to hear your thoughts I think that it would be wrong to compromise someone else's system, even for ostensibly good goals. Agreed, but what would be the harm of generating an email to webmaster@..., admin@, and support@... with a link to the patch and instructions on how to install it... Instead of doing it for someone, tell them how to do it. Then you might also put a link in said email to a template on your server that would perform the correction on their system (assuming that it is possible to do that). That way you *know* they approve. There would be no harm in notifying someone that his computer has been compromised; in fact, I know quite a few people who are doing that. I'd be reluctant to build something that could do the installation itself, though - that's asking for trouble. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Total Fix For Code Red
On 8/13/01, Dave Watts penned: There would be no harm in notifying someone that his computer has been compromised; in fact, I know quite a few people who are doing that. I'd be reluctant to build something that could do the installation itself, though - that's asking for trouble. How would you get contact information from an IP address to notify someone? -- Bud Schneehagen - Tropical Web Creations _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ ColdFusion Solutions / eCommerce Development [EMAIL PROTECTED] http://www.twcreations.com/ 954.721.3452 ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Total Fix For Code Red
How would you get contact information from an IP address to notify someone? You can do a reverse DNS lookup, then find out who's responsible for that name. Obviously, this won't always work. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Total Fix For Code Red
With a net send you only need the ip address and it will pop-up an alert box on the infected machine, no reverse dns, no guessing admin emails. The only thing is that someone has to look at the screen to see the message. -Original Message- From: Bud [mailto:[EMAIL PROTECTED]] Sent: Monday, August 13, 2001 12:20 PM To: CF-Talk Subject: RE: Total Fix For Code Red On 8/13/01, Dave Watts penned: There would be no harm in notifying someone that his computer has been compromised; in fact, I know quite a few people who are doing that. I'd be reluctant to build something that could do the installation itself, though - that's asking for trouble. How would you get contact information from an IP address to notify someone? -- Bud Schneehagen - Tropical Web Creations _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ ColdFusion Solutions / eCommerce Development [EMAIL PROTECTED] http://www.twcreations.com/ 954.721.3452 ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Total Fix For Code Red
With a net send you only need the ip address and it will pop-up an alert box on the infected machine, no reverse dns, no guessing admin emails. The only thing is that someone has to look at the screen to see the message. This assumes a couple of things. First, that the target machine is accessible via Windows Networking (NetBIOS over TCP/IP) and second, that the Messenger service is running on the target machine, and finally, that you have rights to connect via Windows Networking and send the message. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Total Fix For Code Red
On 8/13/01, Dave Watts penned: How would you get contact information from an IP address to notify someone? You can do a reverse DNS lookup, then find out who's responsible for that name. Obviously, this won't always work. Yeah, but 99% of the time you're just going to get an ISP on a reverse lookup. You certainly aren't going to get any help from them finding out who was assigned that IP address at that time (if dynamic) or who is assigned it permanently (if static). -- Bud Schneehagen - Tropical Web Creations _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ ColdFusion Solutions / eCommerce Development [EMAIL PROTECTED] http://www.twcreations.com/ 954.721.3452 ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Total Fix For Code Red
Yeah, but 99% of the time you're just going to get an ISP on a reverse lookup. You certainly aren't going to get any help from them finding out who was assigned that IP address at that time (if dynamic) or who is assigned it permanently (if static). That's correct, for dialup/cable-modem/DSL users - who shouldn't be running publicly-available web servers in the first place most of the time. We're starting to see enforcement of no-hosting provisions for these users as a result of this. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Total Fix For Code Red
On 8/13/01, Richard Kuryk penned: With a net send you only need the ip address and it will pop-up an alert box on the infected machine, no reverse dns, no guessing admin emails. The only thing is that someone has to look at the screen to see the message. What's the syntax? I get an error that The message alias (my IP address) could not be found on the network. -- Bud Schneehagen - Tropical Web Creations _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ ColdFusion Solutions / eCommerce Development [EMAIL PROTECTED] http://www.twcreations.com/ 954.721.3452 ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Total Fix For Code Red
Yes, but if they don't know they have code red and there machine is unpatched, I would imagine the admin is some home user that got a cd from of nt server and doesn't have a clue how to properly configure and secure there box. So for the people that are still infected they have every service known to man running and probably won't even know what to do to correct the situation, once notified! Now because of these morons we can't run a small personal web site, since all high speed connections will start to shut down incoming port 80. So far mine is still up, but not sure for how much longer since my logs have tons of cable users requesting default.ida! Syntax : net send xxx.xxx.xxx.xxx some msg here Rich -Original Message- From: Dave Watts [mailto:[EMAIL PROTECTED]] Sent: Monday, August 13, 2001 2:29 PM To: CF-Talk Subject: RE: Total Fix For Code Red With a net send you only need the ip address and it will pop-up an alert box on the infected machine, no reverse dns, no guessing admin emails. The only thing is that someone has to look at the screen to see the message. This assumes a couple of things. First, that the target machine is accessible via Windows Networking (NetBIOS over TCP/IP) and second, that the Messenger service is running on the target machine, and finally, that you have rights to connect via Windows Networking and send the message. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Total Fix For Code Red
You could automate it thru CF to loop thru your log file:
CFQUERY NAME=rs
DBTYPE=dynamic
CONNECTSTRING=Driver={Microsoft Text Driver (*.txt;
*.csv)};Dbq=c:\;Extensions=asc,csv,tab,txt;Persist Security Info=False;
SELECT clienthost from internetlog.csv
/CFQUERY
cfset crlf=chr(10) chr(13)
cfloop query=rs
cffile action = write
file = c:\codered.bat
output = net send #rs.clienthost# Hello:
Your machine is infected with Code Red virus and is
attempting to infect my machine. Please patch ASAP.
cftry
cfexecute name=c:\codered.bat
timeout = 10
/cfexecute
cffile action=append
file = c:\coderedLOG.txt
output = Notification of #rs.clienthost# successful#crlf#
cfcatch
cffile action=append
file = c:\coderedLOG.txt
output = Notification of #rs.clienthost# not successful#crlf#
/cfcatch
/cftry
/cfloop
tom
Richard Kuryk [EMAIL PROTECTED] wrote in message
3A8BAD034B37D3118C6F009027791324043F60D7@NTSVR1">news:3A8BAD034B37D3118C6F009027791324043F60D7@NTSVR1...
Yes, but if they don't know they have code red and there machine is
unpatched, I would imagine the admin is some home user that got a cd from
of
nt server and doesn't have a clue how to properly configure and secure
there
box. So for the people that are still infected they have every service
known to man running and probably won't even know what to do to correct
the
situation, once notified! Now because of these morons we can't run a
small
personal web site, since all high speed connections will start to shut
down
incoming port 80. So far mine is still up, but not sure for how much
longer
since my logs have tons of cable users requesting default.ida!
~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Total Fix For Code Red
I tried a few address using net send and they all failed. With a net send you only need the ip address and it will pop-up an alert box on the infected machine, no reverse dns, no guessing admin emails. The only thing is that someone has to look at the screen to see the message. This assumes a couple of things. First, that the target machine is accessible via Windows Networking (NetBIOS over TCP/IP) and second, that the Messenger service is running on the target machine, and finally, that you have rights to connect via Windows Networking and send the message. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Total Fix For Code Red
Yes, but if they don't know they have code red and there machine is unpatched, I would imagine the admin is some home user that got a cd from of nt server and doesn't have a clue how to properly configure and secure there box. So for the people that are still infected they have every service known to man running and probably won't even know what to do to correct the situation, once notified! Now because of these morons we can't run a small personal web site, since all high speed connections will start to shut down incoming port 80. So far mine is still up, but not sure for how much longer since my logs have tons of cable users requesting default.ida! Syntax : net send xxx.xxx.xxx.xxx some msg here While home users typically haven't patched their computers appropriately, and may be running web and other services without knowing it, there's still a problem with notifying them via net send - to the best of my knowledge, the default Windows 2000 install doesn't accept messages from users unless they've authenticated. My guess is that this is also true in Windows ME. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Total Fix For Code Red
Net send will only work locally unless someone has opened their world to you and is authenticated there. -paris [finding the future in the past, passing the future in the present] [connecting people, places and things] -Original Message- From: Dave Watts [EMAIL PROTECTED] Date: Mon, 13 Aug 2001 15:26:14 -0400 Subject: RE: Total Fix For Code Red Yes, but if they don't know they have code red and there machine is unpatched, I would imagine the admin is some home user that got a cd from of nt server and doesn't have a clue how to properly configure and secure there box. So for the people that are still infected they have every service known to man running and probably won't even know what to do to correct the situation, once notified! Now because of these morons we can't run a small personal web site, since all high speed connections will start to shut down incoming port 80. So far mine is still up, but not sure for how much longer since my logs have tons of cable users requesting default.ida! Syntax : net send xxx.xxx.xxx.xxx some msg here While home users typically haven't patched their computers appropriately, and may be running web and other services without knowing it, there's still a problem with notifying them via net send - to the best of my knowledge, the default Windows 2000 install doesn't accept messages from users unless they've authenticated. My guess is that this is also true in Windows ME. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
