Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
-------- Drew Taylor writes: | If you're running mod_perl on a server, someone put together an Apache | handler to log these accesses and sent email to the MX for the host. I had | to play with the DNS lookups a little to get things to work properly, but | it's working fine now. I modified the Code Red analysis script mentioned on | ./ to show the infected hosts attacking me. | | All the above code is at http://home.drewtaylor.com/code_red/ Interesting. One problem is the need for mod_perl and a few modules. Since I noticed these messages, I did write a small default.ida perl script that does much of the job. But I'm also looking at the server log on trillian.mit.edu, which has a lot of CodeRed attacks, and where I don't really have permission (or inclination) to play with mod_perl etc. So I'm probably better off rolling my own. But rest assured I'll steal a few ideas from this code. One minor problem is the "whois <addr>@whois.arin.netf" suggestion. This works fine on my home linux system, but fails drastically here on trillian, which is a FreeBSD system. I've also got an account on a Solaris system, where whois has a third syntax. I also don't seem to find any documentation on linux's whois command, but I suppose I'll find it eventually. Digging around whois.arin.netf has also turned up a few clues that a more portable approach might work. Or my script will just have to discover what sort of system it's on. (This is actually a troll, based on the classical problem that the answer is an infinite regress, since all known answers are of the form "If you're on a foo system, here's how you find out ..." ;-) One curious problem: I've dug around in a few search sites and some of the security sites to see if I could find a precise description of the CodeRed symptoms. So far, I've hit a brick wall. Lots and lots of comments on what it does and how it works, but nothing at all that tells me how to detect it. They all seem to think that I'm too stupid to understand that; I shouldn't worry my little head about it; I should just install Microsoft's patch (in my apache server running on linux?) and all will be right with the world. Meanwhile, I've noticed that sometimes the GET requests include a long string of X's, and other times with a long string of N's. Are these two clones of CodeRed? Are other letters also symptomatic of CodeRed? Is this documented somewhere? I wouldn't want to accuse some site of doing a CodeRed attack, when it's actually an unrelated CodeBlue attack, y'know. - Subcription/unsubscription/info requests: send e-mail with "subscribe", "unsubscribe", or "info" on the first line of the message body to discuss-request at blu.org (Subject line is ignored).
BLU is a member of BostonUserGroups | |
We also thank MIT for the use of their facilities. |