in reply to CodeRed notifier

A nice modification would be to have it pick out the IP (as you do already), and then mail root@IP, to let them know that their server has been compromised.

Update: Here is a link to the Real Time Black-hole List, which is a system that 'blacklists' servers that send out lots of spam - spam usually being many messages that are very similar.

I was joking that my servers would be sending out hundreds of identical messages (effectively spamming SecurityFocus) due to the large number of hits we were getting from code red worms, thus attracting the ire of the recipients, who might report me to RBL to make me stop. I didn't say it was a good joke.

And not even really a joke since the script only sends one mail each time it's run. Sorry, miyagawa, my bad.

____________________
Jeremy
I didn't believe in evil until I dated it.

Replies are listed 'Best First'.
Re: Re: CodeRed notifier
by Malkavian (Friar) on Aug 06, 2001 at 17:29 UTC
    Perhaps doing a lookup of the domain the ip is in, and mailing to administrator@domain, or similar.
    As IIS (which is the only thing Code Red affects) uses administrator as the superuser, it's unlikely root@ would get a valid email. Also, it's unlikely that each box would be running it's own mailserver..

    Malk
[reply]
Re: Re: CodeRed notifier
by miyagawa (Chaplain) on Aug 06, 2001 at 18:59 UTC
    My code sends only one email, with all the ip and datetime bundled. So no spamming :-)

    --
    Tatsuhiko Miyagawa
    miyagawa@cpan.org

[reply]

In Section Cool Uses for Perl