Damn windows machines hitting me with Code Red

Place to discuss anything, almost. No politics, religion, Microsoft, or anything else that I (the nazi censor) deem inappropriate.
X11
guru
guru
Posts: 676
Joined: Sun Jan 19, 2003 11:09 pm
Location: Australia
Contact:

Post by X11 »

Its in the news paper that a Code Red Like worm went around the internet last night based on a MS SQL bug.

What makes me laugh is that Microsoft will be using MS SQL for the filesystem in longhorn (they named it after me)

there is a packet loss graph here...
http://average.matrix.net/

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main »

Ha! I just wrote a couple of firewall scripts and added a little more capability to my code red CGI script. Now if I am hit with an infected machine a firewall rule (iptables) is automatically added to block the damn Windows garbage. As you can see from the code red page starting today (2003/01/31) only one hit per machine shows up. That's because they get blocked on the first hit:

http://voidmain.is-a-geek.net/codered/

I decided to be nice and just block them rather than automatically reformatting their hard drives and installing Red Hat for them. :) It should also cause the connection to hang for a period of time so they don't use up so much precious internet bandwidth.

The codered archive I have in the files section is out of date and does not include this blocking capability. If anyone wants it let me know and I'll update the package in the files section with the latest copy including the firewall block scripts and the sudo configuration. I'll also clean up and comment the code with instructions...

Maniaman
scripter
scripter
Posts: 94
Joined: Tue Mar 11, 2003 5:10 pm

Post by Maniaman »

Reviving a long dead thread... oh well :p

I'd like to get the updated version of the codered script with the comments. (linux n00b here ;))

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main »

I just updated the codered.tar.gz with the latest files plus a few others that weren't included in the original. I added the "block" and "unblock" scripts and the /etc/sudoers file. Still not a single comment as I wasn't that ambitious. We can discuss the how/what/where here until I can get some comments (again, if I get ambitious). A starter would be to let you know that the files are packed up in the codered.tar.gz file relative to my root (/) directory. My voidmain server DocumentRoot is "/var/www/voidmain" so any files under there you'll want to move to whereever your document root is. Also modify the files and replace my hostnames/ipaddress with yours.

It would certainly help if you know a little Perl, PHP, general scripting, iptables etc. The scripts are very small and simple (hence the lack of documentation). This really is something I just hacked together and probably only have about an hour in it so if you want to use it, do so as a learning experience. Maybe it will spark some better ideas and if anyone wants to expand on it, package it up, clean it up, make it generic, etc, by all means feel free to do so..

http://voidmain.is-a-geek.net/files/codered.tar.gz

Maniaman
scripter
scripter
Posts: 94
Joined: Tue Mar 11, 2003 5:10 pm

Post by Maniaman »

I got it all setup. I'm hoping it all works too. I guess I'll have to wait and see :)

User avatar
Calum
guru
guru
Posts: 1349
Joined: Fri Jan 10, 2003 11:32 am
Location: Bonny Scotland
Contact:

Post by Calum »

I actually saw a blirp on TV this morning about it being a Code Red or Code Red like virus. None of them appeared to hit me. I didn't get any more hits from idiots than I normally get on a daily bases (maybe it just hasn't got here yet). When are people gonna wake up and realize Micro$oft is going to have a virus problem from here until the day the go out of business (hopefully soon).
the sheeple will only realise this when sensible people instigate a long running campaign of informative truthful education. It's no good those who know telling each other about it. until the sponsored FUD gets dispelled with some serious facts the majority of people will believe the FUD generators in absence of anything else.

Maniaman
scripter
scripter
Posts: 94
Joined: Tue Mar 11, 2003 5:10 pm

Post by Maniaman »

I'm guesign I set something up wrong..
I finnally got cmd.cgi able to be read/executed after moving it to /var/www/perl but each time somebody goes to a link that redirects to it it displays
Your Address: (my ip)
Your Hostname: (my hostname)
Requested URL: http://maniaman.is-a-geek.net/perl/cmd.cgi

I've had a friend try it and thats what it came up for him too. It also doesn't block anybody that goes to it. So I'm guessing I screwed something up when I set it up.

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main »

I'm sorry, I forgot to tell you about the Apache rewrite rules. The code red machines will actually be looking for "cmd.exe" so you have to put rewrite rules in that alias those URLs to your cmd.cgi. Here's mine:

Code: Select all

    <IfModule mod_userdir.c>
       RewriteEngine on
       # Code Red Windows Garbage
       RewriteRule ^/codered$ /s/codered.php
       RewriteRule ^/codered/$ /s/codered.php
       RewriteRule ^/scripts/root.exe$ /z/cmd.cgi
       RewriteRule ^/MSADC/root.exe$ /z/cmd.cgi
       RewriteRule ^/msadc/root.exe$ /z/cmd.cgi
       RewriteRule ^/c/winnt/system32/cmd.exe$ /z/cmd.cgi
       RewriteRule ^/d/winnt/system32/cmd.exe$ /z/cmd.cgi
    </IfModule>
The above rewrite rules will execute my cmd.cgi script if someone goes to one of these URLs:

http://voidmain.is-a-geek.net/scripts/root.exe
http://voidmain.is-a-geek.net/MSADC/root.exe
http://voidmain.is-a-geek.net/msadc/root.exe
http://voidmain.is-a-geek.net/c/winnt/system32/cmd.exe
http://voidmain.is-a-geek.net/d/winnt/system32/cmd.exe

Go ahead and click any of the above links and you should get the same thing as if you called the cmd.cgi directly:

http://voidmain.is-a-geek.net/z/cmd.cgi

If you unpacked the files in the codered.tar.gz you should have a file called "/public/dir.txt" which is nothing more than a C:\WINNT\SYSTEM32 directory listing of a Win2k Advanced Server, just for effect.

Also note that if you click the above links in your browser you will not actually get blocked because in the script I can tell if it is actually a codered hit or just a browser click. I only block the actual codered hits.

Also, the "cmd.cgi" program, as written, logs to a couple of files, one is "/public/codered.log" and the other is "/public/blocked.log". These files need to be writable by user Apache. After running the script for a couple of days look at those logs and you'll probably have a couple of entries in it. Also, if you do get some codered hits then your apache user must have the authority to run the "/usr/bin/sudo /sbin/block ipaddress" command. Replace "voidmain" in your /etc/sudoers with your own username and then under your user type:

$ /usr/bin/sudo /bin/block 192.168.100.100

You should get no errors. You can check if it is blocked by:

# /sbin/iptables -L -n | grep 192.168.100.100

You can unblock the above address by:

$ /usr/bin/sudo /bin/unblock 192.168.100.100

Maniaman
scripter
scripter
Posts: 94
Joined: Tue Mar 11, 2003 5:10 pm

Post by Maniaman »

I think my sudo file is messed up... the squid script also dont reload squid when I updated the banned.sites list anymore either. Already had the redirect things in the httpd conf

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main »

What's your sudoers file look like? Stick it up on you site and I'll look it over.

Maniaman
scripter
scripter
Posts: 94
Joined: Tue Mar 11, 2003 5:10 pm

Post by Maniaman »

Code: Select all

# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the sudoers man page for the details on how to write a sudoers file.
#

# Host alias specification
Host_Alias      SQUIDSERVER = localhost
Host_Alias      WEBSERVER   = localhost

# User alias specification
User_Alias      SQUIDAUTHUSER = apache
User_Alias      WEBBLOCKERS   = apache

# Cmnd alias specification
Cmnd_Alias      SQUIDCOMMAND = /sbin/service squid reload
Cmnd_Alias      WEBBLOCKCMDS = /sbin/block,/sbin/unblock

# Defaults specification

# User privilege specification
root    ALL=(ALL) ALL

# Uncomment to allow people in group wheel to run all commands
# %wheel        ALL=(ALL)       ALL

# Same thing without a password
# %wheel        ALL=(ALL)       NOPASSWD: ALL

# Samples
# %users  ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
# %users  localhost=/sbin/shutdown -h now
SQUIDAUTHUSER   SQUIDSERVER = NOPASSWD: SQUIDCOMMAND
WEBBLOCKERS     WEBSERVER = NOPASSWD: WEBBLOCKCMDS

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main »

What makes you think there is a problem with this file? You can debug it by adding your own ID to the "WEBBLOCKERS" list of users:

Code: Select all

User_Alias   WEBBLOCKERS = apache, maniaman
Of course change "maniaman" to whaterver your real logon ID is. Then try and run the block command via "sudo" and make sure it blocks:

Code: Select all

$ sudo /sbin/block 192.168.100.100
which should return something like:
2003/08/03 10:16:31 - 192.168.100.100 - blocked
Check it by:

Code: Select all

su
# /sbin/iptables -L -n | grep 192.168.100.100
which should return something like:
DROP all -- 192.168.100.100 0.0.0.0/0
DROP all -- 0.0.0.0/0 192.168.100.100
If it does the command works as it should. You can now unblock the above by:

Code: Select all

$ sudo /sbin/unblock 192.168.100.100
If something goes wrong with the above and it appears to be related to a misconfigured sudoers file then make sure the permissions are right:

Code: Select all

# ls -l /etc/sudoers
-r--r-----    1 root     root          749 Aug  3 10:20 /etc/sudoers
Actually if you edit the file using the "visudo" command it should make sure the permissions are correct and it should also make sure your syntax is correct. In fact you can use it just to check the syntax of your sudoers file by doing this:

Code: Select all

# visudo -c
You can also look at the end of your /var/log/secure and /var/log/messages files for any sudo related messages after a failed execution.

If it will run under your ID with no problems it should also run under the apache ID with no problems, at least it does, and always has worked for me.

Post Reply