[Dshield] A php3/4 script for grabbing the details from a CodeRed page call.

Robert robert at chalmers.com.au
Wed Aug 8 21:17:28 GMT 2001


Not too sure.
The code red message type is text/xml and most, but not all of the machines
sending the requests seem to be unresolvable.

I'd be much more interested in a piece of software that stopped calls
containg the code at the port, rather than once in the machine...

Robert

----- Original Message -----
From: "Fred Wittekind" <rom at twister.dyndns.org>
To: <dshield at dshield.org>
Sent: Thursday, August 09, 2001 2:10 AM
Subject: Re: [Dshield] A php3/4 script for grabbing the details from a
CodeRed page call.


> Would it be possible to send back a responce to a codered call that would
> buffer overflow codered, and crash it?  Since they made the connection to
> you, and if you send back a responce that meets http standards, you
> shouldn't be in the wrong.  Expecially if you gage the buff overflow to
> only crash the worm, and not the server.
>
> On Wed, 8 Aug 2001, Robert wrote:
>
> > You'll need to be running php3 or 4 to run this. It simply grabs all the
> > details it can from the html stuff that comes in, as well as machine
name
> > etc. So hopefully you will see where the rubbish is coming from!
> >
> > I got fed up with these fools so decided to see where they are coming
from.
> > Robert
> >
> > Make a text file called 'test.ida' and save the follwing code to it.
Watch
> > the <?  thing. You may be using <php and so on.
> >
............................................................................
> > .....................................................
> > <?
> > // Step 1:  Add the file type .ida to your http.conf file with the php3
> > stuff.
> > //          AddType application/x-httpd-php .php .html .php4 .php3 .ida
> > //          Restart your server.
> >
> > // Step 2:  Copy this file <test.ida> into your web server root
directory
> > and
> > //          rename it default.ida
> > //          It will create a log file called 'hitlog.txt'
> > //          and stuff all the http variables into it that get delivered
> > //          and in case someone accidently grabs the file - give them a
> > warning.
> >
> > // Step 3:  Keep an eye on the file hitlog.txt. It will grow very large,
> > very quickly. It may hold usefull information- it may not? But - it's a
> > start.
> >
> >
> > $fp = fopen("hitlog.txt", "a");
> >
> > function show_vars(&$var)
> > {
> >   if(isSet($var))
> >   {
> >     while(list($key,$value) = each($var))
> >     {
> >        $fp = fopen("hitlog.txt", "a");
> >       fputs($fp, "$$key = $value\n");
> >       fclose($fp);
> >     }
> >   }
> >     else
> >   {
> >        $fp = fopen("hitlog.txt", "a");
> >     fputs($fp, "Variable not set\n");
> >       fclose($fp);
> >   }
> > }
> >
> > show_vars($GLOBALS);
> > show_vars($HTTP_POST_VARS);
> > show_vars($HTTP_GET_VARS);
> >
> > ?>
> > <HEAD><TITLE>Server Down</TITLE>
> > <link rev="made" href="mailto:postmaster at yourdomain.com">
> > </HEAD>
> > <BODY>
> > <H1>Server Down - Under Attack</H1>
> > The server is currently under attack from
> > <font color="red"> CodeRed Worm </font>. It may mean the server is out
of
> > action for some hours.
> > We apologize for the inconvenience, but it is completly out of our
control.
> >  Vandals rule the world unfortunately.
> > <HR>
> > <ADDRESS>
> > <A href="mailto:postmaster at yourdomain.com">postmaster at yourdomain.com</A>
> > </ADDRESS.
> > </BODY>
> >
> >
> > _______________________________________________
> > Dshield mailing list
> > Dshield at dshield.org
> > To change your subscription options (or unsubscribe), see:
http://www1.dshield.org/mailman/listinfo/dshield
> >
>
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www1.dshield.org/mailman/listinfo/dshield
>




More information about the list mailing list