subject:"\[PHP\] Code Red Catcher"

RE: [PHP] Code Red Catcher

2001-09-10 Thread Mattias Segerdahl


Hey,

Don't bitch about my grammar, I was in a hurry when writing this
script...

Bad2da / efnet #php

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
Sent: den 10 september 2001 17:50
To: [EMAIL PROTECTED]
Subject: [PHP] Code Red Catcher

Hi again, Everyone:

I didn't expect such a response so quickly.  With your indulgence, I'll
quote the code in this message.  I just found out that Outlook (which is
what I'm forced to use at Volvo) won't attach .ida files and I *think*
this
list strips attachments in any case.

I don't remember offhand who put the link on this list for the original
code.  Most of it I didn't write, but have done some heavy carving and
additions in spots.  The IP-to-ISP lookup misses entirely about 2% of
the
time and needs a tiny-bit better parsing to determing the "best" of
several
provided email addresses for the ISP.  I just haven't got that far yet
:-)
But the script works as intended, unattended.  BTW, do remember to
insert
the AddType directive (near the top of the script in the propaganda)
into
your Apache config and reload Apache else the script won't activate.

Be ready for your mailbox to fill.  Personally, I had to turn off CC'ing
myself on every complaint it generated, but I do check all the logs
(syslog
and the Apache logs) several times a day and I do keep a running count
in a
database for offline processing.

I'd appreciate any modifications or bug-fixes.  I'm not a spit-hot PHP
programmer YET, but maybe someday when I grow up with all of your help.
I
really appreciate the education and encouragement that is freely handed
out
over this list.  THIS is more like a community of folks actually doing
GOOD
things than any other list to which I've subscribed.

Best regards,
Bill

file: default.ida

http://www.microsoft.com/technet/security/bulletin/MS01-033.asp\n\n";;

  $message .= "For more information on this situation, \n";
  $message .= "point your browser here:\n";
  $message .=
"http://www.microsoft.com/technet/security/bulletin/MS01-033.asp\n";;
  $message .= "http://news.excite.com/news/ap/010805/20/code-red\n";;
  $message .= "http://news.cnet.com/news/0-1003-201-6625599-0.html\n";;
  $message .= "If you have are running this Operating System, Microsoft
suggests that \n";
  $message .= "you obtain and run the patch as soon as possible:\n";
  $message .= "For Windows NT:\n";
  $message .=
"http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30833\n";;
  $message .= "For Windows 2000:\n";
  $message .=
"http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30800\n";;

  $message .= "Because of the importance of this threat, ";
  $message .= "this alert is being made jointly by: \n";
  $message .= "Microsoft \n";
  $message .= "The National Infrastructure Protection Center \n";
  $message .= "Federal Computer Incident Response Center (FedCIRC) \n";
  $message .= "Information Technology Association of America (ITAA) \n";
  $message .= "CERT Coordination Center \n";
  $message .= "SANS Institute \n";
  $message .= "Internet Security Systems \n";
  $message .= "Internet Security Alliance \n";

  $headers .= "From: $name <$from>\n";
  $headers .= "Reply-To: Administrator <[EMAIL PROTECTED]>\n";
  $headers .= "X-Mailer: PHP\n"; // mailer
  $headers .= "X-Priority: 1\n"; // Urgent message!
  $headers .= "Return-Path: Administrator
<[EMAIL PROTECTED]>\n";
// Return path for errors

$GotResponse = false;

// jwwf - major patching to accommodate multiple authority lookups

// ARIN makes a messy output.  To get what we want we have to requery
using
the NIC 
// handle to get the email address for the contact.  First, replace this
skimpy output
// with the output that has the required data in it

foreach ( $Authorities as $Authority ) {
if ( $GotResponse ) { break; }
$RespondingAuthority = $Authority;
@exec("/usr/bin/whois $ip@$Authority", $WholeResponse, $status
);
$UWholeResponse = strtoupper( join( " ", $WholeResponse) );
if ( ( strpos( $UWholeResponse, "NO ENTRIES" ) === false ) && (
strpos( $UWholeResponse, "NO MATCH" ) === false ) ) {
$GotResponse = true;
$Keepgoing = true;
foreach ( $WholeResponse as $Line ) {
if ( ( $Authority == "whois.arin.net" ) && ( $Keepgoing
) )
{
$StartPos = strpos( $Line, chr(40) );
if ( !( $StartPos === false ) ) {
$StartPos++;
$RightSide

[PHP] Code Red Catcher

2001-09-10 Thread billfarr


Hi again, Everyone:

I didn't expect such a response so quickly.  With your indulgence, I'll
quote the code in this message.  I just found out that Outlook (which is
what I'm forced to use at Volvo) won't attach .ida files and I *think* this
list strips attachments in any case.

I don't remember offhand who put the link on this list for the original
code.  Most of it I didn't write, but have done some heavy carving and
additions in spots.  The IP-to-ISP lookup misses entirely about 2% of the
time and needs a tiny-bit better parsing to determing the "best" of several
provided email addresses for the ISP.  I just haven't got that far yet :-)
But the script works as intended, unattended.  BTW, do remember to insert
the AddType directive (near the top of the script in the propaganda) into
your Apache config and reload Apache else the script won't activate.

Be ready for your mailbox to fill.  Personally, I had to turn off CC'ing
myself on every complaint it generated, but I do check all the logs (syslog
and the Apache logs) several times a day and I do keep a running count in a
database for offline processing.

I'd appreciate any modifications or bug-fixes.  I'm not a spit-hot PHP
programmer YET, but maybe someday when I grow up with all of your help.  I
really appreciate the education and encouragement that is freely handed out
over this list.  THIS is more like a community of folks actually doing GOOD
things than any other list to which I've subscribed.

Best regards,
Bill

file: default.ida

http://www.microsoft.com/technet/security/bulletin/MS01-033.asp\n\n";;

  $message .= "For more information on this situation, \n";
  $message .= "point your browser here:\n";
  $message .=
"http://www.microsoft.com/technet/security/bulletin/MS01-033.asp\n";;
  $message .= "http://news.excite.com/news/ap/010805/20/code-red\n";;
  $message .= "http://news.cnet.com/news/0-1003-201-6625599-0.html\n";;
  $message .= "If you have are running this Operating System, Microsoft
suggests that \n";
  $message .= "you obtain and run the patch as soon as possible:\n";
  $message .= "For Windows NT:\n";
  $message .=
"http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30833\n";;
  $message .= "For Windows 2000:\n";
  $message .=
"http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30800\n";;

  $message .= "Because of the importance of this threat, ";
  $message .= "this alert is being made jointly by: \n";
  $message .= "Microsoft \n";
  $message .= "The National Infrastructure Protection Center \n";
  $message .= "Federal Computer Incident Response Center (FedCIRC) \n";
  $message .= "Information Technology Association of America (ITAA) \n";
  $message .= "CERT Coordination Center \n";
  $message .= "SANS Institute \n";
  $message .= "Internet Security Systems \n";
  $message .= "Internet Security Alliance \n";

  $headers .= "From: $name <$from>\n";
  $headers .= "Reply-To: Administrator <[EMAIL PROTECTED]>\n";
  $headers .= "X-Mailer: PHP\n"; // mailer
  $headers .= "X-Priority: 1\n"; // Urgent message!
  $headers .= "Return-Path: Administrator <[EMAIL PROTECTED]>\n";
// Return path for errors

$GotResponse = false;

// jwwf - major patching to accommodate multiple authority lookups

// ARIN makes a messy output.  To get what we want we have to requery using
the NIC 
// handle to get the email address for the contact.  First, replace this
skimpy output
// with the output that has the required data in it

foreach ( $Authorities as $Authority ) {
if ( $GotResponse ) { break; }
$RespondingAuthority = $Authority;
@exec("/usr/bin/whois $ip@$Authority", $WholeResponse, $status );
$UWholeResponse = strtoupper( join( " ", $WholeResponse) );
if ( ( strpos( $UWholeResponse, "NO ENTRIES" ) === false ) && (
strpos( $UWholeResponse, "NO MATCH" ) === false ) ) {
$GotResponse = true;
$Keepgoing = true;
foreach ( $WholeResponse as $Line ) {
if ( ( $Authority == "whois.arin.net" ) && ( $Keepgoing ) )
{
$StartPos = strpos( $Line, chr(40) );
if ( !( $StartPos === false ) ) {
$StartPos++;
$RightSide = strpos( $Line, chr(41)
);
$RightSide = $RightSide - $StartPos;
$Query = substr( $Line, $StartPos,
$RightSide );
$Query .= "@whois.arin.net";
unset( $WholeResponse );
@exec( "/usr/bin/whois !$Query",
$WholeResponse, $status );
$Keepgoing = false;
break;  
}   
}   
}   
}   
}

// APNIC and RIPE pr

RE: [PHP] Code Red Catcher

2001-09-10 Thread Mattias Segerdahl

Why invent the wheel twice, this has been around since the first day
code red was discovered.. See code-red.php

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
Sent: den 10 september 2001 16:22
To: [EMAIL PROTECTED]
Subject: [PHP] Code Red Catcher

Hi All!

I had to unsubscribe for a little while due to the volume but did want
to
follow up on the Code Red catcher script.  Anyone wanting a new copy of
the
script, please email me directly.  I made a gob of changes to the
original
code, slimming it down some and improving the lookups just a bit.

What I DIDN'T expect was the reporting of over 100 Code Red attack
reports
per day.  My word!!  Obviously, the problem is STILL ongoing and far
worse
than has been reported in the news.

Mind you, I run a teeny-tiny, no-great-shakes, niche-ISP business.
We're
hardly mentioned in search engines and due to the type of data mining
and
collation we do, we're also hardly interesting.  This leads me to
believe
that Code Red is still rampant and hungrily devouring as much of the
'net's
bandwidth as it can grab from as many locations as it can.  Those large
ISP's serving millions of hits a day (as opposed to our meager 20
million a
month) must be suffering!

Never have I been so grateful for Linux, Apache, and PHP.  Having a
little
door-guard watching the fort written in a language all-but immune to the
attacks has certainly opened my eyes and made me aware that even still,
many
people on the net are completely irresponsible about their updates and
their
security.

I won't lay the blame entirely at Microsoft for leaving such inexcusably
wide holes in products destined for interaction with the Web, but I'll
certainly lay a god bit of it on those who insist on using M$ software,
putting it directly on the net with no firewall and no updates.  Putting
the
PHP Code Red detector script online has really shown me how bad the
problem
really is...and STILL is!

Bottom line, Hooray for PHP and Hooray for Apache... what a great
combination!

Best regards,

Bill
 <http://www.>  

http://www.microsoft.com/technet/security/bulletin/MS01-033.asp\n\n";;

  $message .= "Because of the importance of this threat, ";
  $message .= "this alert is being made jointly by: \n";
  $message .= "Microsoft \n";
  $message .= "The National Infrastructure Protection Center \n";
  $message .= "Federal Computer Incident Response Center (FedCIRC) \n";
  $message .= "Information Technology Association of America (ITAA) \n";
  $message .= "CERT Coordination Center \n";
  $message .= "SANS Institute \n";
  $message .= "Internet Security Systems \n";
  $message .= "Internet Security Alliance \n";

  $headers .= "From: $name <$from>\n";
  $headers .= "X-Mailer: PHP\n"; // mailer
  $headers .= "X-Priority: 1\n"; // Urgent message!
  $headers .= "Return-Path: <$from>\n";  // Return path for errors

  /* Get a whois output from whois.ripe.net */
  @exec("/usr/bin/whois $[EMAIL PROTECTED]",$whois,$status);

  /* Parse the email addresses from the output */
  while(list($key,$value) = each($whois)) 
  {
   if(strstr($value,"abuse@")) 
   {
$email = strstr($value,"abuse@");
$email = chop(trim($email));
$abuse[] = $email;
   } 
   elseif(substr($value,0,6) == "e-mail" || substr($value,0,6) == "notify") 
   {
$email = strstr($value," ");
$email = chop(trim($email));
$notabuse[] = $email;
   }
  }

  if($logt == "file")
  {
   $fp = fopen($path . "/code-red_ips.txt","a+");
  }
  elseif($logt == "syslog")
  {
   define_syslog_variables();
   openlog("httpd", LOG_PERROR, LOG_DAEMON);
  }

  /* Email the offender */
  if(!empty($abuse)) 
  {
   while(list($key,$var) = each($abuse)) 
{
mail($var, $subject, $message, $headers);
if($logt == "file")
{
 fputs($fp,"$host " . date(r) . " - Email sent to $var\n"); 
}
elseif($logt == "syslog") 
{
 syslog(LOG_WARNING,"Code red from $host email sent to $var");
}
   }
  } 
  elseif(!empty($notabuse)) 
  {
   while(list($key,$var) = each($notabuse)) 
   {
mail($var, $subject, $message, $headers);
if($logt == "file")  
{
 fputs($fp, "$host " . date(r) . " - Email sent to $var\n");
}
elseif($logt == "syslog") 
{
 syslog(LOG_WARNING,"Code red from $host email sent to $var");
}
   }
  } 
  else 
  {
   fputs($fp, "$host " . date(r) . " - Email not sent!\n");
  }

  if($logt == "file")
  {
   fclose($fp);
  }
  elseif($logt == "syslog")
  {
   closelog();
  }

?>

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Re: [PHP] Code Red Catcher

2001-09-10 Thread Christopher CM Allen


B-,

I get 4-5 new ip's daily on each of my machines. It's ridiculous and I have
given up trying ot notify each of these machines that they have a problem.

-ccma



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

[PHP] Code Red Catcher

2001-09-10 Thread billfarr


Hi All!
 
I had to unsubscribe for a little while due to the volume but did want to
follow up on the Code Red catcher script.  Anyone wanting a new copy of the
script, please email me directly.  I made a gob of changes to the original
code, slimming it down some and improving the lookups just a bit.
 
What I DIDN'T expect was the reporting of over 100 Code Red attack reports
per day.  My word!!  Obviously, the problem is STILL ongoing and far worse
than has been reported in the news.
 
Mind you, I run a teeny-tiny, no-great-shakes, niche-ISP business.  We're
hardly mentioned in search engines and due to the type of data mining and
collation we do, we're also hardly interesting.  This leads me to believe
that Code Red is still rampant and hungrily devouring as much of the 'net's
bandwidth as it can grab from as many locations as it can.  Those large
ISP's serving millions of hits a day (as opposed to our meager 20 million a
month) must be suffering!
 
Never have I been so grateful for Linux, Apache, and PHP.  Having a little
door-guard watching the fort written in a language all-but immune to the
attacks has certainly opened my eyes and made me aware that even still, many
people on the net are completely irresponsible about their updates and their
security.
 
I won't lay the blame entirely at Microsoft for leaving such inexcusably
wide holes in products destined for interaction with the Web, but I'll
certainly lay a god bit of it on those who insist on using M$ software,
putting it directly on the net with no firewall and no updates.  Putting the
PHP Code Red detector script online has really shown me how bad the problem
really is...and STILL is!
 
Bottom line, Hooray for PHP and Hooray for Apache... what a great
combination!
 
Best regards,
 
Bill

RE: [PHP] Code Red Catcher

[PHP] Code Red Catcher

RE: [PHP] Code Red Catcher

Re: [PHP] Code Red Catcher

[PHP] Code Red Catcher

5 matches

Site Navigation

Mail list logo

Footer information