Void's Forums

Void Main's Beautiful Site
http://voidmain.is-a-geek.net/forums/

Damn windows machines hitting me with Code Red

http://voidmain.is-a-geek.net/forums/viewtopic.php?f=9&t=44

Page 1 of 2

Damn windows machines hitting me with Code Red

PostPosted: Fri Jan 24, 2003 7:07 pm
by Void Main
I hate stupid Microsoft garbage. I'm tired of seeing people hitting my machine looking to infect me with Code Red (like that could ever happen). I have created a little page to answer their requests (along with any other IIS hackers out there looking for a back door):

http://voidmain.kicks-ass.net/c/winnt/system32/cmd.exe
http://voidmain.kicks-ass.net/d/winnt/system32/cmd.exe
http://voidmain.kicks-ass.net/MSADC/root.exe
http://voidmain.kicks-ass.net/scripts/root.exe

Those machines that have hit me just in the last couple of days and appear to be infected Winblows machines:

http://voidmain.kicks-ass.net/codered/

They are obviously wide open. If someone knows of a way to contact these people to clean their crap up feel free.

PostPosted: Fri Jan 24, 2003 10:29 pm
by choasforages
the phriendly helping box at icculus.org might have a less then legal solution to your problem.

http://www.icculus.org/~chunky/iis/

this may or may not help, but atleast it sounds cool

PostPosted: Fri Jan 24, 2003 10:57 pm
by Void Main
Yeah, I thought about sending some code back at them to format their drive and install Red Hat for them but then I thought that might be going a little overboard. So I just stuck with logging them and sending them a directory listing from a windows box. I suppose I could have just had it automatically send a popup message to them indicating they have been rooted previously by someone else and their machine is trying to root mine.

In fact having it automatically kick off a Red Hat ISO download to their machine might not be a bad idea.

PostPosted: Fri Jan 24, 2003 11:17 pm
by choasforages
i would go for totally killing it off. people that run iis should learn to keep their WTD's /*web transmited deases's*/ to themselves. and i think they would fix the problem real quick if they keep installing IIS and getting code red'd and then killed my a machine retaliating, and if they don't get the point, it must suck to be them

PostPosted: Sat Jan 25, 2003 5:34 am
by Calum
Void Main wrote:Yeah, I thought about sending some code back at them to format their drive and install Red Hat for them but then I thought that might be going a little overboard. So I just stuck with logging them sending them a directory listing. I suppose I could have just had it automatically send a popup message to them indicating they have been rooted previously by someone else and their machine is trying to root mine.

In fact having it automatically kick off a Red Hat ISO download to their machine might not be a bad idea.
i don't see anything wrong with this. i think you should go for it.

PostPosted: Sat Jan 25, 2003 5:39 am
by Void Main
Or I could have it install porn-get and have it change their wallpaper daily. :)

PostPosted: Sat Jan 25, 2003 6:27 am
by X11
send an email to abuse@leeth4x0rs-isps-domain.l33t-h4x0rs-isps-tld

PostPosted: Sat Jan 25, 2003 6:31 am
by X11
and now my ip is on there :-)

PostPosted: Sat Jan 25, 2003 6:48 am
by Void Main
X11 wrote:and now my ip is on there :-)


Not any more. I was in the process of writing the code when you looked at it. I didn't have it written to filter just the actual infected machines. Now it is...

PostPosted: Sat Jan 25, 2003 7:26 am
by X11
cool, where do i get source for this?

PostPosted: Sat Jan 25, 2003 7:51 am
by Void Main
http://voidmain.kicks-ass.net/files/codered.tar.gz

I use URL rewriting in the virtual host section of my httpd.conf file for my voidmain site to make cmd.exe and associated directories point to the codered.php file:

Code: Select all
    <IfModule mod_userdir.c>
       RewriteEngine on
       # Code Red Windows Garbage
       RewriteRule ^/codered$ /s/codered.php
       RewriteRule ^/codered/$ /s/codered.php
       RewriteRule ^/scripts/root.exe$ /z/cmd.cgi
       RewriteRule ^/MSADC/root.exe$ /z/cmd.cgi
       RewriteRule ^/msadc/root.exe$ /z/cmd.cgi
       RewriteRule ^/c/winnt/system32/cmd.exe$ /z/cmd.cgi
       RewriteRule ^/d/winnt/system32/cmd.exe$ /z/cmd.cgi
    </IfModule>


There are no comments in the code but there isn't much code there. In fact there might be more lines in my rewrite rules quoted above than in the two programs associated with this. :)

PostPosted: Sat Jan 25, 2003 11:02 am
by X11
Cool stuff.

PostPosted: Sat Jan 25, 2003 2:27 pm
by Linux Frank
I heard briefly on the radio that there was a world wide increase of virus transimissions last night that slowed the net down considerably, whilst I doubt most news cast statements about technology and the internet, maybe this was related.

Did anyone else hear this?

PostPosted: Sat Jan 25, 2003 3:19 pm
by Nobber
Linux Frank wrote:Did anyone else hear this?


I didn't hear it, but I did feel it. Wondered what it was.

PostPosted: Sat Jan 25, 2003 4:34 pm
by Void Main
I actually saw a blirp on TV this morning about it being a Code Red or Code Red like virus. None of them appeared to hit me. I didn't get any more hits from idiots than I normally get on a daily bases (maybe it just hasn't got here yet). When are people gonna wake up and realize Microsoft is going to have a virus problem from here until the day the go out of business (hopefully soon).
All times are UTC - 6 hours
Page 1 of 2
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/