Code Red ][ Hackbacks
by Jason McIntosh
People on Slashdot are sharing vigilante scripts (in shell and various scripty languages) meant for triggering when the Code Red ][ worm knocks on one's webserver (not hard to detect, since it leaves a distinct signature in its request -- have you run
grep default.ida?XXXX on your access logs lately?). When launched, the programs immediately leap down the throat of the machine from which the request came and attempt to excorize the foul worm from it on the spot, or at least let the machine's administrator know that something's amiss. This surprising behavior becomes possible since the worm leaves its victims wide open to all sorts of intrusion, inlcuding those which might try to do the machine's owner (and the whole Internet) a favor, albeit to nobody's awareness. Wacky.
- One in PHP
- One in shell
- A shell script which mails the infected host's owner Of course, since the reigning hypothesis of this worm's prevalence states that most infected hosts belong to people who don't even realize they're running a webserver (consumer-level Windows 2000 users with cable modems and the like), one wonders how effective this is in many cases...
- Tossing a dialogue box at the machine's owner
(I find myself typing '][' a la 'Apple ][' when writing 'Code Red ][' just because one of these back-hackers' hacks did the same, and it's a funsticky idea, I suppose. Did you know that Code Red was named such by its initial dissecters both because of its silly 'Hacked by Chinese!!!' website defacement message, and in honor of the Mountain Dew variant of the same name?)