[Dshield] A php3/4 script for grabbing the details from a CodeRed page call.

Robert robert at chalmers.com.au
Wed Aug 8 10:38:07 GMT 2001


You'll need to be running php3 or 4 to run this. It simply grabs all the
details it can from the html stuff that comes in, as well as machine name
etc. So hopefully you will see where the rubbish is coming from!

I got fed up with these fools so decided to see where they are coming from.
Robert

Make a text file called 'test.ida' and save the follwing code to it. Watch
the <?  thing. You may be using <php and so on.
............................................................................
.....................................................
<?
// Step 1:  Add the file type .ida to your http.conf file with the php3
stuff.
//          AddType application/x-httpd-php .php .html .php4 .php3 .ida
//          Restart your server.

// Step 2:  Copy this file <test.ida> into your web server root directory
and
//          rename it default.ida
//          It will create a log file called 'hitlog.txt'
//          and stuff all the http variables into it that get delivered
//          and in case someone accidently grabs the file - give them a
warning.

// Step 3:  Keep an eye on the file hitlog.txt. It will grow very large,
very quickly. It may hold usefull information- it may not? But - it's a
start.


$fp = fopen("hitlog.txt", "a");

function show_vars(&$var)
{
  if(isSet($var))
  {
    while(list($key,$value) = each($var))
    {
       $fp = fopen("hitlog.txt", "a");
      fputs($fp, "$$key = $value\n");
      fclose($fp);
    }
  }
    else
  {
       $fp = fopen("hitlog.txt", "a");
    fputs($fp, "Variable not set\n");
      fclose($fp);
  }
}

show_vars($GLOBALS);
show_vars($HTTP_POST_VARS);
show_vars($HTTP_GET_VARS);

?>
<HEAD><TITLE>Server Down</TITLE>
<link rev="made" href="mailto:postmaster at yourdomain.com">
</HEAD>
<BODY>
<H1>Server Down - Under Attack</H1>
The server is currently under attack from
<font color="red"> CodeRed Worm </font>. It may mean the server is out of
action for some hours.
We apologize for the inconvenience, but it is completly out of our control.
 Vandals rule the world unfortunately.
<HR>
<ADDRESS>
<A href="mailto:postmaster at yourdomain.com">postmaster at yourdomain.com</A>
</ADDRESS.
</BODY>





More information about the list mailing list