[Dshield] A php3/4 script for grabbing the details from a CodeRed page call.

Fred Wittekind rom at twister.dyndns.org
Wed Aug 8 16:10:31 GMT 2001


Would it be possible to send back a responce to a codered call that would
buffer overflow codered, and crash it?  Since they made the connection to
you, and if you send back a responce that meets http standards, you
shouldn't be in the wrong.  Expecially if you gage the buff overflow to
only crash the worm, and not the server.

On Wed, 8 Aug 2001, Robert wrote:

> You'll need to be running php3 or 4 to run this. It simply grabs all the
> details it can from the html stuff that comes in, as well as machine name
> etc. So hopefully you will see where the rubbish is coming from!
>
> I got fed up with these fools so decided to see where they are coming from.
> Robert
>
> Make a text file called 'test.ida' and save the follwing code to it. Watch
> the <?  thing. You may be using <php and so on.
> ............................................................................
> .....................................................
> <?
> // Step 1:  Add the file type .ida to your http.conf file with the php3
> stuff.
> //          AddType application/x-httpd-php .php .html .php4 .php3 .ida
> //          Restart your server.
>
> // Step 2:  Copy this file <test.ida> into your web server root directory
> and
> //          rename it default.ida
> //          It will create a log file called 'hitlog.txt'
> //          and stuff all the http variables into it that get delivered
> //          and in case someone accidently grabs the file - give them a
> warning.
>
> // Step 3:  Keep an eye on the file hitlog.txt. It will grow very large,
> very quickly. It may hold usefull information- it may not? But - it's a
> start.
>
>
> $fp = fopen("hitlog.txt", "a");
>
> function show_vars(&$var)
> {
>   if(isSet($var))
>   {
>     while(list($key,$value) = each($var))
>     {
>        $fp = fopen("hitlog.txt", "a");
>       fputs($fp, "$$key = $value\n");
>       fclose($fp);
>     }
>   }
>     else
>   {
>        $fp = fopen("hitlog.txt", "a");
>     fputs($fp, "Variable not set\n");
>       fclose($fp);
>   }
> }
>
> show_vars($GLOBALS);
> show_vars($HTTP_POST_VARS);
> show_vars($HTTP_GET_VARS);
>
> ?>
> <HEAD><TITLE>Server Down</TITLE>
> <link rev="made" href="mailto:postmaster at yourdomain.com">
> </HEAD>
> <BODY>
> <H1>Server Down - Under Attack</H1>
> The server is currently under attack from
> <font color="red"> CodeRed Worm </font>. It may mean the server is out of
> action for some hours.
> We apologize for the inconvenience, but it is completly out of our control.
>  Vandals rule the world unfortunately.
> <HR>
> <ADDRESS>
> <A href="mailto:postmaster at yourdomain.com">postmaster at yourdomain.com</A>
> </ADDRESS.
> </BODY>
>
>
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see: http://www1.dshield.org/mailman/listinfo/dshield
>




More information about the list mailing list