[Dshield] [isn@c4i.org: [ISN] Early Bird: A realtime Code Red attempt reporting utility.]

Patrick Oonk patrick at pine.nl
Thu Aug 9 12:24:06 GMT 2001

----- Forwarded message from InfoSec News <isn at c4i.org> -----
From: InfoSec News <isn at c4i.org>

[Pinched from another list...  :)   - WK]


TITLE	: EARLY BIRD -- A realtime Code Red attempt reporting utility
AUTHOR	: Jay D. Dyson <jdyson at treachery.net>
VERSION	: 1.0 (Released 08/09/2001)
REQUIRES: PERL v5.003 or higher, Net::Whois::Raw PERL module 
	  (available at http://www.cpan.org/) and a one-line tweak to
	  Apache's (v1.3.x) httpd.conf.
RESOURCE: http://www.treachery.net/~jdyson/earlybird/

---[ DESCRIPTION ]----------------------------------------------------

After seeing close to one thousand Code Red exploit attempts on 
several non-IIS systems I maintain (and after tiring of generating
reports to send off to multiple ISPs regarding multiple breaches on
their networks, only to see the scans continue unabated days later), I
decided to automate the notification process on a transactional basis.
This utility suite is the end product of that goal.

---[ RATIONALE ]------------------------------------------------------

If there is one thing that Code Red has clearly demonstrated, it is
that people who run vulnerable systems on the 'net either do not know
or do not care that their recklessness impacts other people.  As a
consequence, I have come to the conclusion that most people just won't
take care of a problem until it becomes *their* problem.  This
transaction-oriented notification system is not designed to be a
problem, but it *is* designed to make the responsible party *aware*
of the problem and its impact.

This utility has a larger goal in that immediate reporting will also
help circumvent the potential for abuse of already-compromised 
systems.  Let's face it, when a Code Red v2 system scans your box,
that's little more than a great flashing light stating that the box
in question is ripe for takeover by any interested hostile party.
These realtime notices -- at the very least -- may help curtail the
further abuse of non-compromised systems by the already-affected

Some might argue that this is the wrong way to go about fighting
the Code Red worm.  That's their opinion and they are certainly
entitled to it.  Just don't expect me to share that point of view.
Until a means can be determined to shut the worm down permanently
without engaging in potentially illegal acts of unauthorized intrusion
on already-compromised systems, I'll consider this approach optimal.

---[ DETAILS ]--------------------------------------------------------

Before going much further, I'll state for the record that this utility
is not the most elegant work of code.  Then again, neither is the worm
it was created to combat.

This utility is designed around the notion of setting up a decoy
'default.ida' executable on a UNIX system.  When the worm hits this
decoy script, a quick note is made as to the version of the worm (v1 
or v2), and a lookup is performed via ARIN on the connecting IP
address to determine the parent netblock owner.  An e-mail is then 
composed with those details and sent off to said contact.

The text of the message sent out with each exploit attempt is thus:


You are receiving this notice since your domain is listed as the
primary contact in the American Registry of Internet Numbers (ARIN).

The following Code Red intrusion attempt was mad against our system.

	ADDRESS: (IP address of offending system)
	ATTEMPT: (Full URI requested)

Please advise your user that their system has been compromised and is
being actively utilized as an attack launchpoint against other

Thank you for your prompt attention to this matter.


With this information alone, the recipient admin will be able to not
only identify the offending system on their network, but will have 
sufficient evidence in the quoted URI that an exploit attempt was
indeed made.  In a perfect world, this information should expedite 
action...but I'm not holding my breath.  If the recipient wants to
continue receiving an avalanche of such notices because they either
can't or won't fix the problem, that's no skin off my nose.

Just for grins, this utility also generates a brief HTML reply to the
worm's intrusion attempt.  There isn't much data generated since the
worm *is* an automated intrusion agent and -- no matter how much
artificial intelligence is crammed into the beast -- it isn't likely
to appreciate my wry sense of humor.  ;)


You can download the source tarball for this utility at:


Setting up this utility is fairly trivial.  The critical files are
as follows:

	-----------	----------------------------------------------
	default.ida	Acts as bait for the worm.
	arin		Two-line external script (used to overcome a
			minor shortcoming in the Net::Whois::Raw PERL

Installation of this worm bait will also require a one-line tweak to
your Apache httpd.conf.  If you're unwilling or uncomfortable in doing
such, you may as well stop reading now.

Still with me?  Cool.  Here's what you'll need to do:

1.	Open 'httpd.conf' with your favorite editor.  (I prefer vi.)

	Search for	: AddHandler cgi-script .cgi
	Add		: AddHandler cgi-script .ida

	Save the changes and restart Apache.

2.	Copy 'default.ida' and 'arin' to your primary/default web
	document root directory.  You need not copy it to every vhost
	directory on your system since the Code Red worm only goes by
	IP addresses rather than domain names.

3.	Open up 'default.ida' with your preferred editor.  (Again, vi
	is preferred.)  You'll want to check (and possibly change) the
	following variables:

	$sendmail			# Sendmail location
	$username			# Your contact address
	$domain				# Your full domain name
	exec'/PATH/TO/arin',$s;		# Change /PATH to suit yours

4.	Once all the variable values are appropriately set, you will
	need to set the execute bits on both 'default.ida' and 'arin'.

	chmod 0555 default.ida
	chmod 0555 arin

That's it.  Your worm bait is now in place and ready to badger the
offending network admins into cleaning house.  To test that the script
is functioning properly, simply open your favorite web browser and
plug in the URL in the form of:


The script will reply with its standard HTML response, but will *NOT*
send out a notice e-mail since the requesting URI does not contain the
worm's typical exploit strings.

-----[ CAVEATS & DISCLAIMER ]-----------------------------------------

This code and related documentation is released under the terms of the
Gnu Public License.  See http://www.gnu.org/copyleft/gpl.html for

By use of this code, you agree to hold me harmless from any and all 
consequences that arise from use or misuse thereof.

As with all files I release, everything is PGP-signed.  If your copy
of this file is *not* PGP-signed, nuke it and grab a copy of this
utility at: http://www.treachery.net/~jdyson/earlybird/.

My PGP keys are at: http://www.treachery.net/~jdyson/jdd_keys.html

-----[ IN CLOSING ]---------------------------------------------------

Thanks for your interest in combatting Code Red.  CR wasn't the first
worm we've encountered, and I'm sure it won't be the last.  Let's just
hope that everyone else is ready for what's next.

					-- Jay D. Dyson

Version: 2.6.2
Comment: See http://www.treachery.net/~jdyson/ for current keys.


ISN is currently hosted by Attrition.org

To unsubscribe email majordomo at attrition.org with 'unsubscribe isn' in the BODY
of the mail.

----- End forwarded message -----

 Patrick Oonk - PO1-6BONE - E: patrick at pine.nl - www.pine.nl/~patrick
 Pine Internet  -  PAT31337-RIPE  -   Hushmail: p.oonk at my.security.nl
 T: +31-70-3111010  -   F: +31-70-3111011   -  http://security.nl
 PGPID 155C3934 fp DD29 1787 8F49 51B8 4FDF  2F64 A65C 42AE 155C 3934
 Excuse of the day: Runt packets

More information about the list mailing list