Perl answer to the Microsoft IIS 'Code Red' infected admins

Ok, perhaps I'm just bitter. But I'm very tempted at this point to let the M$ IIS admins hear back from the "Code Red II" worms they've got infecting their system, by doing this:

grep 'default.ida' /path/to/access_log | awk {'print $1'} | sort -n | 
+uniq | this_perl_script.pl
[download]

...say...every two minutes or so.

It would be cool if someone would expand this to do a whois query, prase the results for emails, and send $message to the admins and owners of the domains involved.

#!/usr/bin/perl -w

use strict;
use LWP::Simple;

my $ipaddress;

# Message to the sysadmin who is infected. I've kept out unusual 
# punctuation on purpose
my $message = <<END;
You are infected with the Code Red II worm and it is bloody annoying. 
+For details head to http://www.cert.org/advisories/CA-2001-19.html
END
$message =~ s/ /_/g;

foreach $ipaddress (@ARGV) {
        my $full_url = "http:\/\/$ipaddress\/$message";
        my $junk = get($full_url);
        }
[download]

Kickstart

Comment on Perl answer to the Microsoft IIS 'Code Red' infected admins Select or Download Code

Replies are listed 'Best First'.
Re: Perl answer to the Microsoft IIS 'Code Red' infected admins by jepri (Parson) on Aug 08, 2001 at 03:57 UTC
Nice script, but IIS administrators don't read log files. Log files are for people who use hard to use silly systems like UNIX. Everything you need to know on an NT machine comes in the form of a graph or a pop-up window. Come to think of it I'm not even sure IIS administrators can read. Sorry. Just had yet another conversation with (yet another) NT admin who tried to explain to me that the best way to pick a servers operating system was to pick the one with the easiest user interface. I smiled and contained myself till I got around the corner. A small modification to your script might be to add a `system("ping -f $ipaddress");` somewhere in there :) ____________________ Jeremy I didn't believe in evil until I dated it.	[reply] [d/l]
Re: Perl answer to the Microsoft IIS 'Code Red' infected admins by premchai21 (Curate) on Aug 08, 2001 at 06:30 UTC
You can use tr instead for one-to-one character mappings, you know. It's faster. `$message =~ tr/ /_/;` [download]	[reply] [d/l]
Re: Perl answer to the Microsoft IIS 'Code Red' infected admins by $code or die (Deacon) on Aug 08, 2001 at 14:42 UTC
What's really depressing is browsing through news://microsoft.public.inetserver.iis It's amazing just how many IIS Admins STILL don't have a clue about Code Red. What's worse is that many of them don't have the intelligence to browse through previous threads before posting "IIS keeps crashing - Help" I feel like I am allowed to slate IIS\NT Admins because I'm one of them!! Error: Keyboard not attached. Press F1 to continue.	[reply]
Re: Perl answer to the Microsoft IIS 'Code Red' infected admins by elwarren (Priest) on Aug 08, 2001 at 20:38 UTC
You could do your grep with awk and save an exec: `awk '/default.ida/ {print $1}' /path/to/access_log`	[reply] [d/l]
Re: Perl answer to the Microsoft IIS 'Code Red' infected admins by Anonymous Monk on Aug 14, 2001 at 00:08 UTC
I found a script that does just that. It queries the ARIN WHOIS server for the IP, strips the domain of the admin email address and then emails postmaster@domain.com. It doesn't work with non-ARIN IPs, but could be modified to pull out the whole email address. I'm playing around with it but if anyone can make it work better, post it, would ya? http://www.treachery.net/~jdyson/earlybird/ HughJASS	[reply]
Re: Re: Perl answer to the Microsoft IIS 'Code Red' infected admins by Anonymous Monk on Aug 26, 2001 at 11:26 UTC
The script to which you refer (Early Bird) handles APNIC and RIPE queries as well as ARIN. The version that was limited to ARIN was the 1.x series. The code is now at v2.1 with v2.2 due for rollout on 08/26/2001. Hope that helps. Best wishes. -JDD	[reply]
Re: Perl answer to the Microsoft IIS 'Code Red' infected admins by Anonymous Monk on Aug 10, 2001 at 22:27 UTC
Since you can run whatever you want by going to http://IpOfHackedMachine/scripts/root.exe?c/+DIR+C:\ why not try something a bit more creative, like poping up a window on the local machine....	[reply]
Re: Re: Perl answer to the Microsoft IIS 'Code Red' infected admins by echo (Pilgrim) on Aug 12, 2001 at 13:26 UTC
You cannot run whatever you want with that backdoor, it is running with web server privileges. Most interesting things you'd want to do will require higher privileges.	[reply]
Re (tilly) 2: Perl answer to the Microsoft IIS 'Code Red' infected admins by tilly (Archbishop) on Aug 11, 2001 at 18:44 UTC
Only Code Red II leaves that hole. The original Code Red does not.	[reply]
Re: Re: Perl answer to the Microsoft IIS 'Code Red' infected admins by Kickstart (Pilgrim) on Aug 11, 2001 at 03:31 UTC
I've checked all the machines hitting me with Code Red requests and tried your line. No success. I'd love to tell these people they are infected, or inversely, know that they've patched the hole. Is the above command/url correct? Kickstart	[reply]