Fun with Code Red

Fahrvergnuugen

I am the law!
I'm tired of this damn worm hammering my computer.
So I've decided to try and do something about it.
I wrote a PHP script that is supposed to grab the infected hosts IP address and then pass the commands to it to shut it down.

Take a look at the code and see if you find a flaw with it. As far As I can tell, it works like a charm! Let me know if you know of a better way to try and accomplish the same thing.


Check out http://darklotus.dyndns.org/default.ida
 
I have been using something similar to this that I got off of Slashdot. The one minor annoyance is that I really can't tell if it actually worked, other than to see if the number of attacks have died down. I think it's working (only 45 attacks this afternoon!), but it'd sure be nice to have some better comformation... I might even install PHP just to get that.

-Bruce Adcock
 
I've had hundreads of code red attempts every day. Lots from my ISP, too. And my ISP says they have no way of knowing who has what IP, so they can't do anything. I'll give your php script a shot, I'd absolutely love to stop this maddness.
 
This might sound stupid from an amateur like myself. But how do you know if you've had code-red attempts without seeing its name in an e-mail. Do you have some type of software? Or is there some notorious subject line?
 
Code red exploits known holes in Microsoft IIS web servers (or more specifically, the indexing component of IIS). It lodges itself in the web server, and then tries to infect 100 more. It does this by probing random IP addresses with an HTTP request (similar to what a web browser nbormally sends a web server to get a page - but longer) and if that site is running IIS, it infects it.

As far as I know, it does not spread by e-mail
 
Code Red does not spread via email. vihung explained it well enough.

You can tell when the worm tries to infect your machine by looking at the http access_log file. Any request for default.ida?XXXX... or default.ida?NNNNN.... is a code red infected Winblows server trying to spread itself to you.

This is a windows NT/2k IIS problem only. All the smart people in the world have nothing to worry about :D
 
This is so great (If it's doing what it means to do?) ... I have cable service via Time Warner, and over the week-end they did on purpose, shut down service for an hour .. I found this out from a friend that runs around and installs for TW.. the plan was to get folks to dial tech support ... and when they did... the first thing they heard was "Welcome to Road Runner support... due to the overwhelming effect of the Code Red worm.. we ask that you visit whatever it was.com and download then install the patch.... If you are running Macintosh, windows 95,98 and ME... you have nothing to worry about..."

I was lol when i called....and even though I was pissed for an hour... I was a very good idea, on getting folks to call... because the hit rate has droped since this weekend .... ;)
 
That's a very good idea. The problem is, half the people that have the virus don't even know that they are running a webserver! The other half might know, but don't know they have the worm, or even that it exists. The road runner network is the worst for this.
 
Actually, it's especially annoying on Road Runner because it appears that I'm getting attempted attacks from practically anyone else on Road Runner, anywhere. I randomly checked one of the IP's and it was in Hawaii. I'm in Ohio. That's not cool.

-Bruce Adcock
 
Back
Top