CodeRed notifier

#!/usr/local/bin/perl
#
# Notify CodeRed infection to SecurityFocus
# Usage: codered_notify.pl [-f youraddress] < /path/to/access_log
#
# SEE ALSO: http://www.securityfocus.com/archive/1/201907
#

use strict;
use Config;
use Getopt::Std;
use Mail::Sendmail;

getopts('f:', \my %opt);

my $from = $opt{f} || $Config{cf_email};
my $to   = 'aris-report@securityfocus.com';

my %ip2date;
while (<>) {
    next unless m@GET /default\.ida\?[XN]+@;
    my($ip, $datetime) = /^(.*?) .*? .*? \[(.*?)\]/;
    next if $ip2date{$ip};
    $ip2date{$ip} = $datetime;
}

my $message = join '', map { "$_ $ip2date{$_}\n" } keys %ip2date;
sendmail(
    To      => $to,
    From    => $from,
    Message => $message,
    Subject => "CodeRed Infection Notification",
);
[download]

--
Tatsuhiko Miyagawa
miyagawa@cpan.org

Comment on CodeRed notifier Download Code

Replies are listed 'Best First'.
Re: CodeRed notifier by jepri (Parson) on Aug 06, 2001 at 02:13 UTC
A nice modification would be to have it pick out the IP (as you do already), and then mail root@IP, to let them know that their server has been compromised. Update: Here is a link to the Real Time Black-hole List, which is a system that 'blacklists' servers that send out lots of spam - spam usually being many messages that are very similar. I was joking that my servers would be sending out hundreds of identical messages (effectively spamming SecurityFocus) due to the large number of hits we were getting from code red worms, thus attracting the ire of the recipients, who might report me to RBL to make me stop. I didn't say it was a good joke. And not even really a joke since the script only sends one mail each time it's run. Sorry, miyagawa, my bad. ____________________ Jeremy I didn't believe in evil until I dated it.	[reply]
Re: Re: CodeRed notifier by Malkavian (Friar) on Aug 06, 2001 at 17:29 UTC
Perhaps doing a lookup of the domain the ip is in, and mailing to administrator@domain, or similar. As IIS (which is the only thing Code Red affects) uses administrator as the superuser, it's unlikely root@ would get a valid email. Also, it's unlikely that each box would be running it's own mailserver.. Malk	[reply]
Re: Re: CodeRed notifier by miyagawa (Chaplain) on Aug 06, 2001 at 18:59 UTC
My code sends only one email, with all the ip and datetime bundled. So no spamming :-) -- Tatsuhiko Miyagawa miyagawa@cpan.org	[reply]
Re: CodeRed notifier by scottstef (Curate) on Aug 06, 2001 at 18:41 UTC
Why not send the email to webmaster@domain? Almost every webserver has a webmaster email address rather than root. "The social dynamics of the net are a direct consequence of the fact that nobody has yet developed a Remote Strangulation Protocol." -- Larry Wall	[reply]
Re: Re: CodeRed notifier by miyagawa (Chaplain) on Aug 06, 2001 at 19:01 UTC
because SecurityFocus will do better than mine, IMHO :-) They collect infected IP addresses, so I guess they will drop the duplicates, and send the notification in wiser way, with some authority. Better avoiding double effort, I think. Thanks! -- Tatsuhiko Miyagawa miyagawa@cpan.org	[reply]
Re: CodeRed notifier by Brovnik (Hermit) on Aug 08, 2001 at 18:23 UTC
Hits on my server now running at more than 100/day, so I wrote a quick script to report attack statistics Here. -- Brovnik	[reply]
Re: CodeRed notifier by cajun (Chaplain) on Aug 07, 2001 at 11:24 UTC
I'm not having much success getting this to work properly. I got no matches at all with miyagawa's original line: `next unless m@GET /default\.ida\?[XN]+@;` [download] After I changed this to: `next unless m@GET /default\.ida ?[XN]+@;` [download] I get matches. I set $to to my email address for testing purposes. Each time I run the script, I get a blank message (no body). $message isn't getting setup properly. If I turn on warnings, I get lots of "Use of uninitialized value in hash element..."	[reply] [d/l] [select]