CodeRed EMAIL NOTIFYER script

From: X (falken@area66.com)
Date: 08/14/01 

Date: Tue, 14 Aug 2001 18:43:15 +0200 (CEST)
From: X <falken@area66.com>
To: focus-linux@lists.securityfocus.com
Subject: CodeRed EMAIL NOTIFYER script
Message-ID: <Pine.LNX.4.21.0108141841290.5684-100000@irc.area66.com>

Yes, it's simple, it just trims the domain of each gethostbyaddr()able IP
and sends an information email to admin@domain and info@domain telling
them a very short explanation of what is happening.

I know that depends on which systems, it would be a massive mailing
(think of SPAM) with devastator results... so, use it with care.

It can be optimized a lot... so, read the disclaimer at the top of the
script (-:

bye

PD: I am open to constructive criticisms. 

-- 

Xavi Torres <admin@area66.com>
Administración de sistemas
Krypton Networks S.L.
http://www.kryptonetworks.com/
http://www.area66.com/

--8<------------8<------------8<-------------

#!/usr/bin/perl

#
# CodeRed httpd log analyzer and informer script, 
# by XTR <admin@area66.com>, <rotten@wanadoo.es>
# Note/disclaimer: 
# it's ugly, I did it on 2 minutes with a joint on the other hand
# (-:
#

use Socket;

# lets do some config.
# the httpd access log to look for the attacks.
$f_access="/var/log/httpd/access_log";
# the sendmail binary
$sendmail="/usr/sbin/sendmail";
# From: line at generated emails.
$email_from="admin\@very.worried.bout.security";

open(FACCESS,$f_access);
while(<FACCESS>){
 if(/default\.ida\?/){
  chop;
  @lin=split(/ /,$_);
  $ip=@lin[0];
  $iaddr=inet_aton($ip);
  $hostname=gethostbyaddr($iaddr,AF_INET);
  if($hostname ne ""){
   @ldom=split(/\./,$hostname);
   $np=scalar @ldom;
   $domain=join('.',@ldom[$np-2],@ldom[$np-1]);
   print "Sending warning email to: admin\@$domain...\n";
   open(EMAIL,"|$sendmail -t");
   print EMAIL "From: $email_from\n";
   print EMAIL "To: admin\@$domain\n";
   print EMAIL "Cc: info\@$domain\n";
   print EMAIL "Subject: You have a CodeRed infected server.\n";
   print EMAIL "Hello,\n";
   print EMAIL "This is an automated email with te purpose of notifying
you\n";
   print EMAIL "that the machine with IP $ip from you network sent us
a\n";
   print EMAIL "CodeRed attack destinated to our servers.\n";
   print EMAIL "It happened due to a MicroSoft Internet Information
Server\n";
   print EMAIL "security fault on that machine ($ip - $hostname).\n";
   print EMAIL "I recommend you to take the appropiated measures and
get\n";
   print EMAIL "information at http://www.microsoft.com/ about how to
fix\n";
   print EMAIL "the problem.\n";
   print EMAIL "Luck!\n";
   print EMAIL "\n";
   close(EMAIL);
  }
 }
}
close(FACCESS);

--8<------------8<------------8<-------------

Relevant Pages

  • Can not print from Outlook 2003
    ... I am having a persistent problem printing from Outlook 2003. ... An Error Has Occurred In The Script On This Page ... I seem to be able to print email I have received if I double click on them ... and expand them to a full screen view by using File/Print. ...
    (microsoft.public.outlook)
  • An error has occured in the script on this page
    ... I get the following error when trying to print email ... messages out of Outlook 2000. ... An error has occurred in the script on this page ... Char: 26 ...
    (microsoft.public.outlook)
  • printing from outlook express
    ... I cannot print email from outlook express. ... The message...an error has occurred in the script on this page...do you ... I say yes and still no printing. ...
    (microsoft.public.windows.inetexplorer.ie6_outlookexpress)