[NCLUG] Code Red fun

Charles Clarke clarke at clarkecomputer.com
Tue Aug 7 21:52:25 MDT 2001


Instead of sending back garbage, I output a message and also try to send
the same message to the postmaster on the system trying to infect my
server(along with logging it, etc). 

Out of 2077 unique IP addresses(I only send one per IP address - they
contact an average of about 4 times each), 143 didn't have mail servers
and 4 have bounced from the postmaster address.  Only 14 have looked at
the page I made and mentioned in the email(of course, posting it here
will goof up my numbers!).
http://www.clarkecomputer.com/info/codered.html

I wish I had the time to write a "Code Red Worm Innoculation" program
that I could use on the servers which contact mine.  It would set the
flags(atom for II and directory for I) that would prevent reinfection,
kill any Code Reds(if possible) and hook itself into the web server
to spread itself to any machines that tried to infect it.  Most of that
code could be reused from the worm itself.

charles

For your fun, here is the snippet to send the message to the postmaster.

$HOST is the IP address of the machine and $REMOTE is the name with the 
IP address in ()'s



use Net::SMTP;
 
my $smtp = Net::SMTP->new($HOST, Timeout => 60);
 
if($smtp)
{
    $smtp->mail("codered\@clarkecomputer.com");
    $smtp->to('postmaster');
 
    $smtp->data();
 
    $smtp->datasend("From: codered\@clarkecomputer.com\n");
    $smtp->datasend("To: postmaster\n");
    $smtp->datasend("Subject: $REMOTE is infected with the Code Red Worm\n");
    $smtp->datasend("\n");
    $smtp->datasend($message);
 
    $smtp->dataend();
 
    $smtp->quit;
}
 

--------------------------------------------------------------------------
 Domain hosting from $15/month with error log analysis and link checking.
 http://www.clarkecomputer.com/sig.html       domains at clarkecomputer.com




More information about the NCLUG mailing list