Beefy Boxes and Bandwidth Generously Provided by pair Networks
Keep It Simple, Stupid

CodeRed notifier

by miyagawa (Chaplain)
on Aug 05, 2001 at 22:58 UTC ( #102333=CUFP: print w/replies, xml ) Need Help??

#!/usr/local/bin/perl # # Notify CodeRed infection to SecurityFocus # Usage: [-f youraddress] < /path/to/access_log # # SEE ALSO: # use strict; use Config; use Getopt::Std; use Mail::Sendmail; getopts('f:', \my %opt); my $from = $opt{f} || $Config{cf_email}; my $to = ''; my %ip2date; while (<>) { next unless m@GET /default\.ida\?[XN]+@; my($ip, $datetime) = /^(.*?) .*? .*? \[(.*?)\]/; next if $ip2date{$ip}; $ip2date{$ip} = $datetime; } my $message = join '', map { "$_ $ip2date{$_}\n" } keys %ip2date; sendmail( To => $to, From => $from, Message => $message, Subject => "CodeRed Infection Notification", );

Tatsuhiko Miyagawa

Replies are listed 'Best First'.
Re: CodeRed notifier
by jepri (Parson) on Aug 06, 2001 at 02:13 UTC
    A nice modification would be to have it pick out the IP (as you do already), and then mail root@IP, to let them know that their server has been compromised.

    Update: Here is a link to the Real Time Black-hole List, which is a system that 'blacklists' servers that send out lots of spam - spam usually being many messages that are very similar.

    I was joking that my servers would be sending out hundreds of identical messages (effectively spamming SecurityFocus) due to the large number of hits we were getting from code red worms, thus attracting the ire of the recipients, who might report me to RBL to make me stop. I didn't say it was a good joke.

    And not even really a joke since the script only sends one mail each time it's run. Sorry, miyagawa, my bad.

    I didn't believe in evil until I dated it.

      Perhaps doing a lookup of the domain the ip is in, and mailing to administrator@domain, or similar.
      As IIS (which is the only thing Code Red affects) uses administrator as the superuser, it's unlikely root@ would get a valid email. Also, it's unlikely that each box would be running it's own mailserver..

      My code sends only one email, with all the ip and datetime bundled. So no spamming :-)

      Tatsuhiko Miyagawa

Re: CodeRed notifier
by scottstef (Curate) on Aug 06, 2001 at 18:41 UTC
    Why not send the email to webmaster@domain? Almost every webserver has a webmaster email address rather than root.

    "The social dynamics of the net are a direct consequence of the fact that nobody has yet developed a Remote Strangulation Protocol." -- Larry Wall

      because SecurityFocus will do better than mine, IMHO :-)

      They collect infected IP addresses, so I guess they will drop the duplicates, and send the notification in wiser way, with some authority. Better avoiding double effort, I think.


      Tatsuhiko Miyagawa

Re: CodeRed notifier
by Brovnik (Hermit) on Aug 08, 2001 at 18:23 UTC
    Hits on my server now running at more than 100/day, so I wrote a quick script to report attack statistics Here.
Re: CodeRed notifier
by cajun (Chaplain) on Aug 07, 2001 at 11:24 UTC
    I'm not having much success getting this to work properly.

    I got no matches at all with miyagawa's original line:

    next unless m@GET /default\.ida\?[XN]+@;

    After I changed this to:

    next unless m@GET /default\.ida ?[XN]+@;

    I get matches.

    I set $to to my email address for testing purposes. Each time I run the script, I get a blank message (no body). $message isn't getting setup properly. If I turn on warnings, I get lots of "Use of uninitialized value in hash element..."

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: CUFP [id://102333]
Approved by root
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others cooling their heels in the Monastery: (3)
As of 2020-04-06 22:55 GMT
Find Nodes?
    Voting Booth?
    The most amusing oxymoron is:

    Results (42 votes). Check out past polls.