aHa
12-19-2001, 04:09 AM
First of all, I am very new here. That being said....
I have been thinking about this code red stuff for some time and believe there might a way to perhaps get some action taken & patches applied where needed.
this should play with cgi,perl,php,shell... pick your poison....
It goes like this...
create a 404 page (perl/php enabled)
capture the IP address of any inbound requests representing a code red propagation (check your logs, they stick out like Bill Gates at a Linux Installfest).
easy solution:
resolve the REMOTE_ADDR (IP address) to its hostname.
have sendmail deliver an email to webmaster@resolved_hostname informing them of the code red on thier box or node. Most ISP's, when nailed with a bunch of this, will request that the customer with the rogue box take action.
complex solution (IP does not resolve to a hostname):
have your 404 perfom a whois against arin.net on the owner
of the ip block (the first two octects usually work). Parse that response down to obtain their NETBLK info,
whois arin again with that value, Either parse out the "Coordinator:" email or
parse out the domain name
tack on a "webmaster@" or "root@" in front of that
have sendmail deliver a message indicating that code red is being generated from their network. This is usually less effective as you are often dealing with a larger organization.
This is just an idea. It is not a cure, but if it helps it helps... I use the whois/arin thing to grab point of origin for 401 responses in my feeble attempt at "big brother knows where you are, now get off this restriced site ya big mallothead" kinda thing.
Feel free to criticize/crucify at your will.
I have been thinking about this code red stuff for some time and believe there might a way to perhaps get some action taken & patches applied where needed.
this should play with cgi,perl,php,shell... pick your poison....
It goes like this...
create a 404 page (perl/php enabled)
capture the IP address of any inbound requests representing a code red propagation (check your logs, they stick out like Bill Gates at a Linux Installfest).
easy solution:
resolve the REMOTE_ADDR (IP address) to its hostname.
have sendmail deliver an email to webmaster@resolved_hostname informing them of the code red on thier box or node. Most ISP's, when nailed with a bunch of this, will request that the customer with the rogue box take action.
complex solution (IP does not resolve to a hostname):
have your 404 perfom a whois against arin.net on the owner
of the ip block (the first two octects usually work). Parse that response down to obtain their NETBLK info,
whois arin again with that value, Either parse out the "Coordinator:" email or
parse out the domain name
tack on a "webmaster@" or "root@" in front of that
have sendmail deliver a message indicating that code red is being generated from their network. This is usually less effective as you are often dealing with a larger organization.
This is just an idea. It is not a cure, but if it helps it helps... I use the whois/arin thing to grab point of origin for 401 responses in my feeble attempt at "big brother knows where you are, now get off this restriced site ya big mallothead" kinda thing.
Feel free to criticize/crucify at your will.