Security News > 2001 > August > Early Bird: A realtime Code Red attempt reporting utility.
[Pinched from another list... :) - WK] -----BEGIN PGP SIGNED MESSAGE----- TITLE : EARLY BIRD -- A realtime Code Red attempt reporting utility AUTHOR : Jay D. Dyson VERSION : 1.0 (Released 08/09/2001) REQUIRES: PERL v5.003 or higher, Net::Whois::Raw PERL module (available at http://www.cpan.org/) and a one-line tweak to Apache's (v1.3.x) httpd.conf. RESOURCE: http://www.treachery.net/~jdyson/earlybird/ ---------------------------------------------------------------------- ---[ DESCRIPTION ]---------------------------------------------------- After seeing close to one thousand Code Red exploit attempts on several non-IIS systems I maintain (and after tiring of generating reports to send off to multiple ISPs regarding multiple breaches on their networks, only to see the scans continue unabated days later), I decided to automate the notification process on a transactional basis. This utility suite is the end product of that goal. ---[ RATIONALE ]------------------------------------------------------ If there is one thing that Code Red has clearly demonstrated, it is that people who run vulnerable systems on the 'net either do not know or do not care that their recklessness impacts other people. As a consequence, I have come to the conclusion that most people just won't take care of a problem until it becomes *their* problem. This transaction-oriented notification system is not designed to be a problem, but it *is* designed to make the responsible party *aware* of the problem and its impact. This utility has a larger goal in that immediate reporting will also help circumvent the potential for abuse of already-compromised systems. Let's face it, when a Code Red v2 system scans your box, that's little more than a great flashing light stating that the box in question is ripe for takeover by any interested hostile party. These realtime notices -- at the very least -- may help curtail the further abuse of non-compromised systems by the already-affected systems. Some might argue that this is the wrong way to go about fighting the Code Red worm. That's their opinion and they are certainly entitled to it. Just don't expect me to share that point of view. Until a means can be determined to shut the worm down permanently without engaging in potentially illegal acts of unauthorized intrusion on already-compromised systems, I'll consider this approach optimal. ---[ DETAILS ]-------------------------------------------------------- Before going much further, I'll state for the record that this utility is not the most elegant work of code. Then again, neither is the worm it was created to combat. This utility is designed around the notion of setting up a decoy 'default.ida' executable on a UNIX system. When the worm hits this decoy script, a quick note is made as to the version of the worm (v1 or v2), and a lookup is performed via ARIN on the connecting IP address to determine the parent netblock owner. An e-mail is then composed with those details and sent off to said contact. The text of the message sent out with each exploit attempt is thus: ----- You are receiving this notice since your domain is listed as the primary contact in the American Registry of Internet Numbers (ARIN). The following Code Red intrusion attempt was mad against our system. ADDRESS: (IP address of offending system) ATTEMPT: (Full URI requested) Please advise your user that their system has been compromised and is being actively utilized as an attack launchpoint against other systems. Thank you for your prompt attention to this matter. ----- With this information alone, the recipient admin will be able to not only identify the offending system on their network, but will have sufficient evidence in the quoted URI that an exploit attempt was indeed made. In a perfect world, this information should expedite action...but I'm not holding my breath. If the recipient wants to continue receiving an avalanche of such notices because they either can't or won't fix the problem, that's no skin off my nose. Just for grins, this utility also generates a brief HTML reply to the worm's intrusion attempt. There isn't much data generated since the worm *is* an automated intrusion agent and -- no matter how much artificial intelligence is crammed into the beast -- it isn't likely to appreciate my wry sense of humor. ;) -----[ ACQUISITION, INSTALLATION & CONFIGURATION ]-------------------- You can download the source tarball for this utility at: http://www.treachery.net/~jdyson/earlybird/ Setting up this utility is fairly trivial. The critical files are as follows: FILENAME FUNCTION ----------- ---------------------------------------------- default.ida Acts as bait for the worm. arin Two-line external script (used to overcome a minor shortcoming in the Net::Whois::Raw PERL module) Installation of this worm bait will also require a one-line tweak to your Apache httpd.conf. If you're unwilling or uncomfortable in doing such, you may as well stop reading now. Still with me? Cool. Here's what you'll need to do: 1. Open 'httpd.conf' with your favorite editor. (I prefer vi.) Search for : AddHandler cgi-script .cgi Add : AddHandler cgi-script .ida Save the changes and restart Apache. 2. Copy 'default.ida' and 'arin' to your primary/default web document root directory. You need not copy it to every vhost directory on your system since the Code Red worm only goes by IP addresses rather than domain names. 3. Open up 'default.ida' with your preferred editor. (Again, vi is preferred.) You'll want to check (and possibly change) the following variables: $sendmail # Sendmail location $username # Your contact address $domain # Your full domain name exec'/PATH/TO/arin',$s; # Change /PATH to suit yours 4. Once all the variable values are appropriately set, you will need to set the execute bits on both 'default.ida' and 'arin'. chmod 0555 default.ida chmod 0555 arin That's it. Your worm bait is now in place and ready to badger the offending network admins into cleaning house. To test that the script is functioning properly, simply open your favorite web browser and plug in the URL in the form of: http://www.your-domain.tld/default.ida The script will reply with its standard HTML response, but will *NOT* send out a notice e-mail since the requesting URI does not contain the worm's typical exploit strings. -----[ CAVEATS & DISCLAIMER ]----------------------------------------- This code and related documentation is released under the terms of the Gnu Public License. See http://www.gnu.org/copyleft/gpl.html for details. By use of this code, you agree to hold me harmless from any and all consequences that arise from use or misuse thereof. As with all files I release, everything is PGP-signed. If your copy of this file is *not* PGP-signed, nuke it and grab a copy of this utility at: http://www.treachery.net/~jdyson/earlybird/. My PGP keys are at: http://www.treachery.net/~jdyson/jdd_keys.html -----[ IN CLOSING ]--------------------------------------------------- Thanks for your interest in combatting Code Red. CR wasn't the first worm we've encountered, and I'm sure it won't be the last. Let's just hope that everyone else is ready for what's next. -- Jay D. Dyson 08/09/2001 -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: See http://www.treachery.net/~jdyson/ for current keys. iQCVAwUBO3JKCLlDRyqRQ2a9AQHIDgP/aVX+kZctzhfjGwVXYGnrZ7N43XzWGWrD riH02NyT0YpVi9LdTk8rmQ3MIH9ch0lkt33pS8DHenZDbUtrqoSTdBkg6Q1vEFFy Hjw/0fS6HU7AKDtQblrjvx8R6Ed6svv4Wh+MF/H4ibcuFeCYQw2ekc8K4lZ09XXD YSkQBFDb2B8= =040v -----END PGP SIGNATURE----- - ISN is currently hosted by Attrition.org To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY of the mail.