Damn windows machines hitting me with Code Red

Place to discuss anything, almost. No politics, religion, Microsoft, or anything else that I (the nazi censor) deem inappropriate.
User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Damn windows machines hitting me with Code Red

Post by Void Main »

I hate stupid Microsoft garbage. I'm tired of seeing people hitting my machine looking to infect me with Code Red (like that could ever happen). I have created a little page to answer their requests (along with any other IIS hackers out there looking for a back door):

http://voidmain.kicks-ass.net/c/winnt/system32/cmd.exe
http://voidmain.kicks-ass.net/d/winnt/system32/cmd.exe
http://voidmain.kicks-ass.net/MSADC/root.exe
http://voidmain.kicks-ass.net/scripts/root.exe

Those machines that have hit me just in the last couple of days and appear to be infected Winblows machines:

http://voidmain.kicks-ass.net/codered/

They are obviously wide open. If someone knows of a way to contact these people to clean their crap up feel free.
Last edited by Void Main on Sat Jan 25, 2003 6:26 am, edited 1 time in total.

choasforages
n00b
n00b
Posts: 3
Joined: Fri Jan 24, 2003 11:44 am
Location: eldersburg, maryland
Contact:

Post by choasforages »

the phriendly helping box at icculus.org might have a less then legal solution to your problem.

http://www.icculus.org/~chunky/iis/

this may or may not help, but atleast it sounds cool

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main »

Yeah, I thought about sending some code back at them to format their drive and install Red Hat for them but then I thought that might be going a little overboard. So I just stuck with logging them and sending them a directory listing from a windows box. I suppose I could have just had it automatically send a popup message to them indicating they have been rooted previously by someone else and their machine is trying to root mine.

In fact having it automatically kick off a Red Hat ISO download to their machine might not be a bad idea.
Last edited by Void Main on Sat Jan 25, 2003 11:11 am, edited 1 time in total.

choasforages
n00b
n00b
Posts: 3
Joined: Fri Jan 24, 2003 11:44 am
Location: eldersburg, maryland
Contact:

Post by choasforages »

i would go for totally killing it off. people that run iis should learn to keep their WTD's /*web transmited deases's*/ to themselves. and i think they would fix the problem real quick if they keep installing IIS and getting code red'd and then killed my a machine retaliating, and if they don't get the point, it must suck to be them

User avatar
Calum
guru
guru
Posts: 1349
Joined: Fri Jan 10, 2003 11:32 am
Location: Bonny Scotland
Contact:

Post by Calum »

Void Main wrote:Yeah, I thought about sending some code back at them to format their drive and install Red Hat for them but then I thought that might be going a little overboard. So I just stuck with logging them sending them a directory listing. I suppose I could have just had it automatically send a popup message to them indicating they have been rooted previously by someone else and their machine is trying to root mine.

In fact having it automatically kick off a Red Hat ISO download to their machine might not be a bad idea.
i don't see anything wrong with this. i think you should go for it.

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main »

Or I could have it install porn-get and have it change their wallpaper daily. :)

X11
guru
guru
Posts: 676
Joined: Sun Jan 19, 2003 11:09 pm
Location: Australia
Contact:

Post by X11 »


X11
guru
guru
Posts: 676
Joined: Sun Jan 19, 2003 11:09 pm
Location: Australia
Contact:

Post by X11 »

and now my ip is on there :-)

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main »

X11 wrote:and now my ip is on there :-)
Not any more. I was in the process of writing the code when you looked at it. I didn't have it written to filter just the actual infected machines. Now it is...

X11
guru
guru
Posts: 676
Joined: Sun Jan 19, 2003 11:09 pm
Location: Australia
Contact:

Post by X11 »

cool, where do i get source for this?

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main »

http://voidmain.kicks-ass.net/files/codered.tar.gz

I use URL rewriting in the virtual host section of my httpd.conf file for my voidmain site to make cmd.exe and associated directories point to the codered.php file:

Code: Select all

    <IfModule mod_userdir.c>
       RewriteEngine on
       # Code Red Windows Garbage
       RewriteRule ^/codered$ /s/codered.php
       RewriteRule ^/codered/$ /s/codered.php
       RewriteRule ^/scripts/root.exe$ /z/cmd.cgi
       RewriteRule ^/MSADC/root.exe$ /z/cmd.cgi
       RewriteRule ^/msadc/root.exe$ /z/cmd.cgi
       RewriteRule ^/c/winnt/system32/cmd.exe$ /z/cmd.cgi
       RewriteRule ^/d/winnt/system32/cmd.exe$ /z/cmd.cgi
    </IfModule>
There are no comments in the code but there isn't much code there. In fact there might be more lines in my rewrite rules quoted above than in the two programs associated with this. :)
Last edited by Void Main on Sat Jan 25, 2003 11:09 am, edited 1 time in total.

X11
guru
guru
Posts: 676
Joined: Sun Jan 19, 2003 11:09 pm
Location: Australia
Contact:

Post by X11 »

Cool stuff.

Linux Frank
administrator
administrator
Posts: 239
Joined: Fri Jan 10, 2003 2:06 pm

Post by Linux Frank »

I heard briefly on the radio that there was a world wide increase of virus transimissions last night that slowed the net down considerably, whilst I doubt most news cast statements about technology and the internet, maybe this was related.

Did anyone else hear this?

Nobber
user
user
Posts: 32
Joined: Thu Jan 23, 2003 8:36 am
Location: Slackville

Post by Nobber »

Linux Frank wrote:Did anyone else hear this?
I didn't hear it, but I did feel it. Wondered what it was.

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main »

I actually saw a blirp on TV this morning about it being a Code Red or Code Red like virus. None of them appeared to hit me. I didn't get any more hits from idiots than I normally get on a daily bases (maybe it just hasn't got here yet). When are people gonna wake up and realize Microsoft is going to have a virus problem from here until the day the go out of business (hopefully soon).

Post Reply