Modification to code red detect script

Russell Fulton r.fulton at auckland.ac.nz
Thu Aug 16 21:45:32 GMT 2001


	I have slightly modified the script (originally written by  
David Dandar and modified by Anne Bennet) that looks for compromised 
systems to find those that still have the c and d mapping after 
cleaning.

$codered_query = 
#  'GET /scripts/root.exe?/c+dir+/tc HTTP/1.0'."\nHost: IITS-test\n\n";
  'GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0'. "\n\n";

This will detect machine where the virtual root setting got restored 
from the metabase or where the simply were not deleted from the 
registry.

Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand



More information about the unisog mailing list