Re: [OT] New Micro$oft vulnerability?
Jeremy Howard writes: Jeremy Any suggestions on how we should respond? Update Jeremy Apache::CodeRed to recognise the new signature, and send an Jeremy appropriate message to postmaster and webmaster with an Jeremy updated URL to point to? Rosh Hashana just ended here in Israel, and I just checked my e-mail -- including over 3500 messages from my poor Apache server, which was obviously attacked quite a bit by this Nimba worm. Once I understand what's happening, I expect to update Apache::CodeRed and distribute a new version. Indeed, several people sent me suggestions and patches, so this should appear on CPAN sooner rather than later. Jeremy Reuven--are you planning on submitting an updated version to Jeremy CPAN for this worm? With the same name? I haven't yet read through all of my e-mail, let alone all of the e-mail to the modperl list, so we'll see just what I do... Reuven
Re: How do I STOP Apache::CodeRed sending me messages
Tatsuhiko Miyagawa writes: Miyagawa Configuration variables for Apache::CodeRed seem to be Miyagawa hardwired in CodeRed.pm itself. Reuven, why not kick out Miyagawa these variables as those defined by PerlSetVar in Miyagawa http.conf file? Sorry, but I was away at a family retreat since Sunday morning, and haven't had a chance to deal with Apache::CodeRed and other such things. I'm hoping to tinker a bit with Apache::CodeRed in the next day or so, including changing the configuration a bit (so that you don't have to mess with the code directly to set e-mail addresses). However, the idea of being able to override the hard-coded settings with PerlSetVar is an excellent one, and I'll include that... Reuven
Re: module to hit back at default.ida atack ?
Angel R Rivera writes: Angel how about a way to tell it not to report an ip?? i just Angel reported on myself. :) That feature is in the latest version (1.07), thanks to David Young. DeWitt So *that's* why Reuven has CodeRed.pm CC him on the warning DeWitt emails. DeWitt And I thought he was just nuts. ;) I am nuts -- but in this particular case, I was just naive and foolish to think that people would change the $cc_address variable at the top of the program. So I've been flooded by a ridiculous number of e-mail messages from people who didn't change that variable. Version 1.08, which I hope to put out tonight or tomorrow, will improve the configuration a bit, and will also improve on the documentation. Reuven
Revised CodeRed.pm
I've modified CodeRed.pm again, such that it now (a) writes better log messages and (b) sends an automatic message to the SecurityFocus team, in the format that they specified. Rather than blast the source code across this mailing list repeatedly, I've put it up at http://reuven.lerner.co.il/projects/CodeRed.pm. I expect to write some POD, rewrite a bunch of the comments, re-indent the source a bit, and other such fun things. But for the most part, it appears to work. Thanks for the feedback that I've received so far! Reuven
Re: Revised CodeRed.pm - Wish List
Daniel Aldham writes: Daniel Could the code be added to to add a GET /scripts.root.exe Daniel and then generate a pop-up screen on the infected host Daniel warning the owner/administrator. And then maybe shutdown IIS Daniel CodeRed? Yes, I'm sure that we *could* add code to CodeRed.pm that does everything you suggest, and more. But I think that it would be a really bad idea. Even if your intentions are pure, the authorities won't look kindly on attempts to run administrative tasks on someone else's computer. And besides, what happens if something goes wrong? (Sorry, we were just trying to help; we didn't mean to reboot your system while you were synchronizing databases.) Reuven
Revised CodeRed.pm
) { my $host_for_mx_lookup = join '.', @hostname_components[$starting_index .. $#hostname_components]; @mx = mx($res, $host_for_mx_lookup); if (@mx) { last; } else { $starting_index++; } } # If we still haven't found any records, then simply return FORBIDDEN, # and log an error message if (! @mx) { $r-log_error(No MX records for '$remote_hostname': , $res-errorstring); return FORBIDDEN; } # Grab the first MX record, and assume that it'll work. my $mx_host = $mx[0]-exchange; $r-log_error(CodeRed: Using MX host '$mx_host'); # # Send e-mail to the webmaster, postmaster, and administrator, # since the webmaster and/or postmaster addresses often doesn't # work. my $remote_webmaster_address = webmaster\@$mx_host, postmaster\@$mx_host, administrator\@$mx_host; # Set the outgoing message my $outgoing_message = END; Your Microsoft IIS server (at $remote_ip_address) appears to have been infected with a strain of the CodeRed worm. It attempted to spread to our Web server, despite the fact that we run Linux and Apache (which are immune). You should immediately download the security patch from Microsoft, from $security_url. This message was generated automatically by CodeRed.pm for mod_perl and Apache, written by Reuven M. Lerner ([EMAIL PROTECTED]). END $r-log_error(CodeRed: Sending e-mail to '$remote_webmaster_address'); my %mail = ( To = $remote_webmaster_address, CC = $cc_address, From= '[EMAIL PROTECTED]', Subject = 'CodeRed infection', Message = $outgoing_message ); my $sendmail_success = sendmail(%mail); if ($sendmail_success) { # Cache the fact that we saw this IP address $file_cache-set($remote_ip_address, 1); return FORBIDDEN; } else { $r-log_error(CodeRed: Mail::Sendmail returned '$Mail::Sendmail::error'); return DECLINED; } } # All modules must return a true value 1;