Modification to code red detect script

Russell Fulton r.fulton at
Thu Aug 16 21:45:32 GMT 2001

	I have slightly modified the script (originally written by  
David Dandar and modified by Anne Bennet) that looks for compromised 
systems to find those that still have the c and d mapping after 

$codered_query = 
#  'GET /scripts/root.exe?/c+dir+/tc HTTP/1.0'."\nHost: IITS-test\n\n";
  'GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0'. "\n\n";

This will detect machine where the virtual root setting got restored 
from the metabase or where the simply were not deleted from the 

Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

More information about the unisog mailing list