suikacvs/webroot/default.ida.cgi

#!/usr/local/bin/perl

=head1 NAME

Suika Server /default.ida

=head1 DESCRIPTION

Responds to CodeRed worm attacks with e-mail warnings.
(Human) user can see worm access log (graph).

=head1 ENCODING

This module is written in EUC-JP.

=cut

use Suika::CGI;
use Data::Count;
$| = 1;
  my (undef,undef,$hour,$day,$month,$year) = gmtime(time);
  $month++;  $year += 1900;
  my $d = Data::Count->open('/home/wakaba/public_html/private/warm200107.count', $year.'-'.sprintf('%02D',$month).'-'.sprintf('%02D',$day).'-'.sprintf('%02D',$hour));
  
  if ($Suika::CGI::param{log}) {
    print STDOUT <<EOH;
Content-Type: text/html
Content-Language: en

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en">
<head>
<title>log of http://$main::ENV{SERVER_NAME}/default.ida</title>
</head>
<body>
<h1>log of http://$main::ENV{SERVER_NAME}/default.ida (Date = GMT)</h1>
<table>
<tbody>
EOH
    
    my (%logs,%logsc) = $d->list();
    for (sort keys %logs) {
      $logsc{$_} = '*' x $logs{$_};
      print <<EOH;
<tr>
<th nowrap>$_</th>
<td>($logs{$_})</td>
<td>$logsc{$_}</td>
</tr>
EOH
    }
    print <<EOH;
</tbody>
</table>

<h2>Note</h2>

<ul>
        <li><a href="/admin/web-2001-08-10">Announce of 2001-08-10</a></li>
        <li>All accesses from *.hinet.net (IP Address: 61.216.0.0 Network Mask: 255.248.0.0, IP Address: 61.224.0.0 Network Mask: 255.255.0.0; not only web) have been shut since 2001-08-10.</li>
        <li>2001-08-16-06 - 2001-08-17-02 is not counted.</li>
        <li>This does not count Code Red (I) worm since it causes 400 http error.</li>
        <li>2001-08-25 +0900: Web server had been stoped some minites to maintenance.  Atacks of those time are not logged.</li>

</ul>

<address>[<a href="/">/</a>]
[<a href="mailto:admin\@suika.fam.cx">Suika server administration group</a>,
 <a href="mailto:webmaster\@suika.fam.cx">Web server administrator</a>]</address>
</body></html>
EOH
    exit;
  }
  
  $d->up();

print STDOUT jcode::jis(<<EOH);
Content-Type: message/rfc822
Status: 403 I don't hope your attack.

From: webmaster\@suika.fam.cx
Message-id: <msg.20010807.default.ida\@suika.fam.cx>
Subject: 403 Forbidden
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="foobar"

--foobar
Content-Type: text/html
Content-Language: en

<!DOCTYPE html PUBLIC "-//SUIKA//DTD SUIKA HTML 1.00//EN">
<html lang="en">
<body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
<address><a href="http://suika.fam.cx/admin/">The Watermeron Project</a>.</address>
</body>
</html>

--foobar
Content-Type: text/plain
Content-Language: ja

Itteyoshi.

--foobar
Content-Type: text/html
Content-Language: ja

<!DOCTYPE html PUBLIC "-//SUIKA//DTD SUIKA HTML 1.00//EN">
<html lang="en">
<body>
<h1>�¤äƤ褷</h1>
<p>���������С���ޤ� the Internet ��̵��̣�ʾ����ή�����ϸ��θ��������</p>
<address><a href="mailto:admin\@suika.fam.cx">�����ײ�</a>.</address>
</body>
</html>
--foobar--

EOH

exit if $Suika::CGI::param{test};

my $host = gethostbyaddr(pack('C4',split(/\./,$main::ENV{REMOTE_ADDR})),2)
        || '['.$main::ENV{REMOTE_ADDR}.']';


=pod

open M, '| /usr/lib/sendmail -t -f suika.test.n@suika.fam.cx';

print M <<EOH;
From: "Suika Web server" <webmaster\@suika.fam.cx>
Sender: "default.ida" <webmaster\@suika.fam.cx>
To: "CodeRed infected Host Administrator" :
    <security\@${host}>, <webmaster\@${host}>, <abuse\@${host}> ;
Bcc: (webmaster\@suika.fam.cx,) suika.test.n\@suika.fam.cx
Followup-To: suika.admin
Reply-to: "Suika Web server administrator" <webmaster\@suika.fam.cx>,
  "Suika server administration group" <admin\@suika.fam.cx>
Subject: [Caution] CodeRed infection on '${host}': Automatic report
X-Priority: 1
X-MSMail-Priority: High

Dear ${host} administrator,

    Your Microsoft IIS server (at $main::ENV{REMOTE_ADDR}) appears to have
been infected with a strain of the CodeRed worm.  It attempted to spread
to our Web server, despite the fact that we run GNU/Linux and Apache (which
are immune).

    You should immediately download the security patch from Microsoft, from
<http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/security/topics/codealrt.asp>.
    You can also get information in Japanese from
<http://www.reasoning.org/jp/security_alerts/hashsa-2001-02.html>

  And I also suggest that you never use Micro\$oft products
for server.  It is very ill.

Regard,

Webmaster of the Suika server.

P.S.  I attach some information of your request.

EOH

for (grep /(?:HTTP|REMOTE|REQUEST|CONTENT|QUERY)_/, keys %main::ENV) {
  print M $_,":\t",$main::ENV{$_},"\n";
}

print M "\n(end)\n";

close M;

=cut

1;

=head1 LICENSE

Public Domain.

=head1 CHANGE

2001-08-25  wakaba <wakaba@suika.fam.cx>

        * (Graph notice) Add about server down for maintenance.

2001-08-17  wakaba <wakaba@suika.fam.cx>

        * (Graph) Add note.

2001-08-14  wakaba <wakaba@suika.fam.cx>

        * (Log for graph): Logging w/ hour data.

2001-08-08  wakaba <wakaba@suika.fam.cx>

        * Rewrite caution message.

2001-08-07  wakaba <wakaba@suika.fam.cx>

        * default.ida.cgi:  New file.

=head1 SEE ALSO

=over

=item Apache::CodeRed

<http://reuven.lerner.co.il/projects/>

=item Suika Server CodeRed Worm Log

<http://suika.fam.cx/default.ida?log=1>

=item Suika Server CodeRed Caution Mail Log

<news://suika.fam.cx/suika.test>

=back

=cut
1	wakaba	1.1	#!/usr/local/bin/perl
2
3			=head1 NAME
4
5			Suika Server /default.ida
6
7			=head1 DESCRIPTION
8
9			Responds to CodeRed worm attacks with e-mail warnings.
10			(Human) user can see worm access log (graph).
11
12			=head1 ENCODING
13
14			This module is written in EUC-JP.
15
16			=cut
17
18			use Suika::CGI;
19			use Data::Count;
20			$\| = 1;
21			my (undef,undef,$hour,$day,$month,$year) = gmtime(time);
22			$month++; $year += 1900;
23			my $d = Data::Count->open('/home/wakaba/public_html/private/warm200107.count', $year.'-'.sprintf('%02D',$month).'-'.sprintf('%02D',$day).'-'.sprintf('%02D',$hour));
24
25			if ($Suika::CGI::param{log}) {
26			print STDOUT <<EOH;
27			Content-Type: text/html
28			Content-Language: en
29
30			<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
31			<html lang="en">
32			<head>
33			<title>log of http://$main::ENV{SERVER_NAME}/default.ida</title>
34			</head>
35			<body>
36			<h1>log of http://$main::ENV{SERVER_NAME}/default.ida (Date = GMT)</h1>
37			<table>
38			<tbody>
39			EOH
40
41			my (%logs,%logsc) = $d->list();
42			for (sort keys %logs) {
43			$logsc{$_} = '*' x $logs{$_};
44			print <<EOH;
45			<tr>
46			<th nowrap>$_</th>
47			<td>($logs{$_})</td>
48			<td>$logsc{$_}</td>
49			</tr>
50			EOH
51			}
52			print <<EOH;
53			</tbody>
54			</table>
55
56			<h2>Note</h2>
57
58			<ul>
59			<li><a href="/admin/web-2001-08-10">Announce of 2001-08-10</a></li>
60			<li>All accesses from *.hinet.net (IP Address: 61.216.0.0 Network Mask: 255.248.0.0, IP Address: 61.224.0.0 Network Mask: 255.255.0.0; not only web) have been shut since 2001-08-10.</li>
61			<li>2001-08-16-06 - 2001-08-17-02 is not counted.</li>
62			<li>This does not count Code Red (I) worm since it causes 400 http error.</li>
63			<li>2001-08-25 +0900: Web server had been stoped some minites to maintenance. Atacks of those time are not logged.</li>
64
65			</ul>
66
67			<address>[<a href="/">/</a>]
68			[<a href="mailto:admin\@suika.fam.cx">Suika server administration group</a>,
69			<a href="mailto:webmaster\@suika.fam.cx">Web server administrator</a>]</address>
70			</body></html>
71			EOH
72			exit;
73			}
74
75			$d->up();
76
77			print STDOUT jcode::jis(<<EOH);
78			Content-Type: message/rfc822
79			Status: 403 I don't hope your attack.
80
81			From: webmaster\@suika.fam.cx
82			Message-id: <msg.20010807.default.ida\@suika.fam.cx>
83			Subject: 403 Forbidden
84			MIME-Version: 1.0
85			Content-Type: multipart/alternative; boundary="foobar"
86
87			--foobar
88			Content-Type: text/html
89			Content-Language: en
90
91			<!DOCTYPE html PUBLIC "-//SUIKA//DTD SUIKA HTML 1.00//EN">
92			<html lang="en">
93			<body>
94			<h1>Forbidden</h1>
95			<p>You don't have permission to access this resource.</p>
96			<address><a href="http://suika.fam.cx/admin/">The Watermeron Project</a>.</address>
97			</body>
98			</html>
99
100			--foobar
101			Content-Type: text/plain
102			Content-Language: ja
103
104			Itteyoshi.
105
106			--foobar
107			Content-Type: text/html
108			Content-Language: ja
109
110			<!DOCTYPE html PUBLIC "-//SUIKA//DTD SUIKA HTML 1.00//EN">
111			<html lang="en">
112			<body>
113			<h1>�¤äƤ褷</h1>
114			<p>��С��ޤ� the Internet ��̵��̣�ʾ��ή��ϸ��θ��</p>
115			<address><a href="mailto:admin\@suika.fam.cx">��ײ�</a>.</address>
116			</body>
117			</html>
118			--foobar--
119
120			EOH
121
122			exit if $Suika::CGI::param{test};
123
124			my $host = gethostbyaddr(pack('C4',split(/\./,$main::ENV{REMOTE_ADDR})),2)
125			\|\| '['.$main::ENV{REMOTE_ADDR}.']';
126
127
128			=pod
129
130			open M, '\| /usr/lib/sendmail -t -f suika.test.n@suika.fam.cx';
131
132			print M <<EOH;
133			From: "Suika Web server" <webmaster\@suika.fam.cx>
134			Sender: "default.ida" <webmaster\@suika.fam.cx>
135			To: "CodeRed infected Host Administrator" :
136			<security\@${host}>, <webmaster\@${host}>, <abuse\@${host}> ;
137			Bcc: (webmaster\@suika.fam.cx,) suika.test.n\@suika.fam.cx
138			Followup-To: suika.admin
139			Reply-to: "Suika Web server administrator" <webmaster\@suika.fam.cx>,
140			"Suika server administration group" <admin\@suika.fam.cx>
141			Subject: [Caution] CodeRed infection on '${host}': Automatic report
142			X-Priority: 1
143			X-MSMail-Priority: High
144
145			Dear ${host} administrator,
146
147			Your Microsoft IIS server (at $main::ENV{REMOTE_ADDR}) appears to have
148			been infected with a strain of the CodeRed worm. It attempted to spread
149			to our Web server, despite the fact that we run GNU/Linux and Apache (which
150			are immune).
151
152			You should immediately download the security patch from Microsoft, from
153			<http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/security/topics/codealrt.asp>.
154			You can also get information in Japanese from
155			<http://www.reasoning.org/jp/security_alerts/hashsa-2001-02.html>
156
157			And I also suggest that you never use Micro\$oft products
158			for server. It is very ill.
159
160			Regard,
161
162			Webmaster of the Suika server.
163
164			P.S. I attach some information of your request.
165
166			EOH
167
168			for (grep /(?:HTTP\|REMOTE\|REQUEST\|CONTENT\|QUERY)_/, keys %main::ENV) {
169			print M $_,":\t",$main::ENV{$_},"\n";
170			}
171
172			print M "\n(end)\n";
173
174			close M;
175
176			=cut
177
178			1;
179
180			=head1 LICENSE
181
182			Public Domain.
183
184			=head1 CHANGE
185
186			2001-08-25 wakaba <wakaba@suika.fam.cx>
187
188			* (Graph notice) Add about server down for maintenance.
189
190			2001-08-17 wakaba <wakaba@suika.fam.cx>
191
192			* (Graph) Add note.
193
194			2001-08-14 wakaba <wakaba@suika.fam.cx>
195
196			* (Log for graph): Logging w/ hour data.
197
198			2001-08-08 wakaba <wakaba@suika.fam.cx>
199
200			* Rewrite caution message.
201
202			2001-08-07 wakaba <wakaba@suika.fam.cx>
203
204			* default.ida.cgi: New file.
205
206			=head1 SEE ALSO
207
208			=over
209
210			=item Apache::CodeRed
211
212			<http://reuven.lerner.co.il/projects/>
213
214			=item Suika Server CodeRed Worm Log
215
216			<http://suika.fam.cx/default.ida?log=1>
217
218			=item Suika Server CodeRed Caution Mail Log
219
220			<news://suika.fam.cx/suika.test>
221
222			=back
223
224			=cut