codeRedKiller
codeRedKiller is a simple PHP script and bash script that are combined to catch and drop all requests from CodeRed offending servers.
codeRedKiller is documented in the source code, displayed below, and the concept is outlined in a screaming-penguin article
here.
The entire setup (php, bash) is available as a tar file: codeRedKiller.tar.
Source Code (also available as tar download via link)
PHP script (default.ida)
<?
# copyLeft totsp.com
# charlie collins
# temple of the screaming penguin
# http://screaming-penguin.com
# 08.15.2001
# this is a script to record the ip addresses of CodeRed offenders to a file
# (actually this script gets all requests for 'default.ida', legitimate or not)
# this PHP file is intended to be used in CONJUNCTION with a shell script and cron job
#
# the shell script then reads the ip addresses from the file and drops them via ipchains (and deletes and recreates the file)
# the idea here is that php listens in the default.ida file and records the ip address of hosts that request it to a file
# then a shell script reads the recorded ip addresses from said file and drops any future requests using ipchains
# a cron job is used to call the shell script periodically
# REQUIRED COMPONENTS
# default.ida, PHP script to record ip addresses of those requesting it (THIS FILE)
# coderedhosts.txt, file used by this script to store ip addresses
# killCodeRed.sh, bash script to process the file with ip addresses, drop using ipchains and delete + recreate file
# SETUP INSTRUCTIONS ***
# the entire process requires 6 parts to setup (and uses php, bash, ipchains and cron, could easily be adapted to other stuff, ie netfilter)
# 1 - modify httpd.conf so that .ida files are processed by PHP (AddType application/x-httpd-php .ida) AND restart apache
# 2 - install this file in the apache docroot, make sure it is named 'default.ida'
# 3 - install accompanying bash shell script 'killCodeRed.sh' (preferably NOT in the docroot, wherever you want) and ensure root user has x perms
# 4 - set variables in 'killCodeRed.sh' to match machine stuff (EXTERNAL_INTERFACE, IPCHAINS, etc)
# 5 - as root RUN the ./killCodeRed.sh script once BEFORE proceeding (it deletes the coderedhosts.txt file if present and recreates it)
# 6 - add cron job to run killCodeRed.sh at desired interval (hourly, etc) (see the cron man pages for cron help)
## SECURITY NOTES
# run the webserver as a non priveleged user (duh), ie nobody
# do NOT grant PHP permissions to CREATE files in the docroot (the killCodeRed.sh script will create the file, dont let PHP do it)
# make sure that the web server user can WRITE to the coderedhosts.txt file (that file only, and again, not the entire DIR)
# this is just present to test this file and make sure it flies and send something to response
echo "remote address = $REMOTE_ADDR";
# define the file
$codeRedHostsFile = "/usr/local/apache/htdocs/coderedhosts.txt"; #edit to match apache docroot
# open the file for read(permissions must obviously be correct)
$fp = fopen($codeRedHostsFile, "r");
# then check to file to make sure this host is not already in it
$stringCodeRedHostsFile = fread($fp, filesize($codeRedHostsFile));
if(!ereg("$REMOTE_ADDR",$stringCodeRedHostsFile))
{
# if the host is not in it, the reopen the file, pointer at the end, and write to it
$fp = fopen($codeRedHostsFile, "a");
fwrite($fp, "$REMOTE_ADDR \n");
}
# close the file
fclose($fp);
?>
BASH script (killCodeRed.sh)
#!/bin/bash
# killCodeRed.sh
#
# copyleft totsp 2001
# charlie collins
# temple of the screaming penguin
# http://screaming-penguin.com
# this script is used in CONJUNCTION with a file of ip addresses
# the ip addressed represent hosts known to be infected with codeRed
# this script then drops connectivity to those hosts via ipchains
# (the file of ip addresses can be automatically generated, ie PHP, perl, etc )
# setup ultra simple vars (CUSTOMIZE HERE)
EXTERNAL_INTERFACE="ethX" # you must edit this
CODEREDHOSTSFILE="/usr/local/apache/htdocs/coderedhosts.txt" #edit this as required (if apache docroot is different)
IPCHAINS="/sbin/ipchains"
GREP_PARAM="^[[:digit:]]*\.[[:digit:]]*\.[[:digit:]]*\.[[:digit:]]*"
FILEOWNER="nobody" # edit this to match webserver user
# parse the file
for i in $( grep $GREP_PARAM $CODEREDHOSTSFILE )
do
echo "Deny access to host: $i"
$IPCHAINS -A input -i $EXTERNAL_INTERFACE -s $i -j DENY
done
# then remove, recreate and set perms on file
# this is to keep the file lean and still ensure that it DOES exist
rm -rf $CODEREDHOSTSFILE
>$CODEREDHOSTSFILE
chown $FILEOWNER $CODEREDHOSTSFILE
chmod u+w $CODEREDHOSTSFILE