For shits and giggles, I whipped up a little Java program that serves two functions: - when invoked with a single argument, it connects to that host on port 80, issues an IDQ-style request according to Chris St. Clair's recently posted testing methodology (only tested on IIS/5.0), and tells you if the server appears to be vulnerable or not for example: $ javac CodeRedLogger.java $ java CodeRedLogger infected.system.com - when invoked with no arguments, it turns into a little multithreaded web server on port 80, which for each client connect, sees if the client sends the attack signature, and if so, connects back to the client on port 80 and performs the test mentioned above for example: $ javac CodeRedLogger.java $ java CodeRedLogger (sit back and wait) I just wrote this off the top of my head and tested it on a few servers. Maybe someone wants to modify the tests to handle IIS 4.0 servers. :) The typical disclaimer for exploit code applies: don't use it unless you're allowed to. I wouldn't run this on a public server, and I certainly wouldn't try to reverse-connect and inject the lyseine deficiency via shellcode (although I bet it would be easy). :) I also would not recommend trying to do a WHOIS or trying to send email to the server's sysadmin, because that could just burden the infected systems even more. Again, I just wrote it for shits and giggles. I redirected port 80 on my firewall at home to go to my home PC, and then have been running it on my home PC, so I can watch worm requests come in through my cable modem. :) I've compiled and tested this under Sun JDK 1.2, it should work on any 1.2 and later JDK. Chad Loder Principal Engineer Rapid 7, Inc. http://www.rapid7.com
This archive was generated by hypermail 2b30 : Fri Jul 20 2001 - 07:41:08 PDT