suikacvs/webroot/default.ida.cgi

#!/usr/local/bin/perl

=head1 NAME

Suika Server /default.ida

=head1 DESCRIPTION

Responds to CodeRed worm attacks with e-mail warnings.
(Human) user can see worm access log (graph).

=head1 ENCODING

This module is written in EUC-JP.

=cut

use Suika::CGI;
use Data::Count;
$| = 1;
  my (undef,undef,$hour,$day,$month,$year) = gmtime(time);
  $month++;  $year += 1900;
  my $d = Data::Count->open('/home/wakaba/public_html/private/warm200107.count', $year.'-'.sprintf('%02D',$month).'-'.sprintf('%02D',$day).'-'.sprintf('%02D',$hour));
  
  if ($Suika::CGI::param{log}) {
    print STDOUT <<EOH;
Content-Type: text/html
Content-Language: en

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en">
<head>
<title>log of http://$main::ENV{SERVER_NAME}/default.ida</title>
</head>
<body>
<h1>log of http://$main::ENV{SERVER_NAME}/default.ida (Date = GMT)</h1>
<table>
<tbody>
EOH
    
    my (%logs,%logsc) = $d->list();
    for (sort keys %logs) {
      $logsc{$_} = '*' x $logs{$_};
      print <<EOH;
<tr>
<th nowrap>$_</th>
<td>($logs{$_})</td>
<td>$logsc{$_}</td>
</tr>
EOH
    }
    print <<EOH;
</tbody>
</table>

<h2>Note</h2>

<ul>
        <li><a href="/admin/web-2001-08-10">Announce of 2001-08-10</a></li>
        <li>All accesses from *.hinet.net (IP Address: 61.216.0.0 Network Mask: 255.248.0.0, IP Address: 61.224.0.0 Network Mask: 255.255.0.0; not only web) have been shut since 2001-08-10.</li>
        <li>2001-08-16-06 - 2001-08-17-02 is not counted.</li>
        <li>This does not count Code Red (I) worm since it causes 400 http error.</li>
        <li>2001-08-25 +0900: Web server had been stoped some minites to maintenance.  Atacks of those time are not logged.</li>

</ul>

<address>[<a href="/">/</a>]
[<a href="mailto:admin\@suika.fam.cx">Suika server administration group</a>,
 <a href="mailto:webmaster\@suika.fam.cx">Web server administrator</a>]</address>
</body></html>
EOH
    exit;
  }
  
  $d->up();

print STDOUT jcode::jis(<<EOH);
Content-Type: message/rfc822
Status: 403 I don't hope your attack.

From: webmaster\@suika.fam.cx
Message-id: <msg.20010807.default.ida\@suika.fam.cx>
Subject: 403 Forbidden
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="foobar"

--foobar
Content-Type: text/html
Content-Language: en

<!DOCTYPE html PUBLIC "-//SUIKA//DTD SUIKA HTML 1.00//EN">
<html lang="en">
<body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
<address><a href="http://suika.fam.cx/admin/">The Watermeron Project</a>.</address>
</body>
</html>

--foobar
Content-Type: text/plain
Content-Language: ja

Itteyoshi.

--foobar
Content-Type: text/html
Content-Language: ja

<!DOCTYPE html PUBLIC "-//SUIKA//DTD SUIKA HTML 1.00//EN">
<html lang="en">
<body>
<h1>�¤äƤ褷</h1>
<p>���������С���ޤ� the Internet ��̵��̣�ʾ����ή�����ϸ��θ��������</p>
<address><a href="mailto:admin\@suika.fam.cx">�����ײ�</a>.</address>
</body>
</html>
--foobar--

EOH

exit if $Suika::CGI::param{test};

my $host = gethostbyaddr(pack('C4',split(/\./,$main::ENV{REMOTE_ADDR})),2)
        || '['.$main::ENV{REMOTE_ADDR}.']';


=pod

open M, '| /usr/lib/sendmail -t -f suika.test.n@suika.fam.cx';

print M <<EOH;
From: "Suika Web server" <webmaster\@suika.fam.cx>
Sender: "default.ida" <webmaster\@suika.fam.cx>
To: "CodeRed infected Host Administrator" :
    <security\@${host}>, <webmaster\@${host}>, <abuse\@${host}> ;
Bcc: (webmaster\@suika.fam.cx,) suika.test.n\@suika.fam.cx
Followup-To: suika.admin
Reply-to: "Suika Web server administrator" <webmaster\@suika.fam.cx>,
  "Suika server administration group" <admin\@suika.fam.cx>
Subject: [Caution] CodeRed infection on '${host}': Automatic report
X-Priority: 1
X-MSMail-Priority: High

Dear ${host} administrator,

    Your Microsoft IIS server (at $main::ENV{REMOTE_ADDR}) appears to have
been infected with a strain of the CodeRed worm.  It attempted to spread
to our Web server, despite the fact that we run GNU/Linux and Apache (which
are immune).

    You should immediately download the security patch from Microsoft, from
<http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/security/topics/codealrt.asp>.
    You can also get information in Japanese from
<http://www.reasoning.org/jp/security_alerts/hashsa-2001-02.html>

  And I also suggest that you never use Micro\$oft products
for server.  It is very ill.

Regard,

Webmaster of the Suika server.

P.S.  I attach some information of your request.

EOH

for (grep /(?:HTTP|REMOTE|REQUEST|CONTENT|QUERY)_/, keys %main::ENV) {
  print M $_,":\t",$main::ENV{$_},"\n";
}

print M "\n(end)\n";

close M;

=cut

1;

=head1 LICENSE

Public Domain.

=head1 CHANGE

2001-08-25  wakaba <wakaba@suika.fam.cx>

        * (Graph notice) Add about server down for maintenance.

2001-08-17  wakaba <wakaba@suika.fam.cx>

        * (Graph) Add note.

2001-08-14  wakaba <wakaba@suika.fam.cx>

        * (Log for graph): Logging w/ hour data.

2001-08-08  wakaba <wakaba@suika.fam.cx>

        * Rewrite caution message.

2001-08-07  wakaba <wakaba@suika.fam.cx>

        * default.ida.cgi:  New file.

=head1 SEE ALSO

=over

=item Apache::CodeRed

<http://reuven.lerner.co.il/projects/>

=item Suika Server CodeRed Worm Log

<http://suika.fam.cx/default.ida?log=1>

=item Suika Server CodeRed Caution Mail Log

<news://suika.fam.cx/suika.test>

=back

=cut
1	#!/usr/local/bin/perl
2
3	=head1 NAME
4
5	Suika Server /default.ida
6
7	=head1 DESCRIPTION
8
9	Responds to CodeRed worm attacks with e-mail warnings.
10	(Human) user can see worm access log (graph).
11
12	=head1 ENCODING
13
14	This module is written in EUC-JP.
15
16	=cut
17
18	use Suika::CGI;
19	use Data::Count;
20	$\| = 1;
21	my (undef,undef,$hour,$day,$month,$year) = gmtime(time);
22	$month++; $year += 1900;
23	my $d = Data::Count->open('/home/wakaba/public_html/private/warm200107.count', $year.'-'.sprintf('%02D',$month).'-'.sprintf('%02D',$day).'-'.sprintf('%02D',$hour));
24
25	if ($Suika::CGI::param{log}) {
26	print STDOUT <<EOH;
27	Content-Type: text/html
28	Content-Language: en
29
30	<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
31	<html lang="en">
32	<head>
33	<title>log of http://$main::ENV{SERVER_NAME}/default.ida</title>
34	</head>
35	<body>
36	<h1>log of http://$main::ENV{SERVER_NAME}/default.ida (Date = GMT)</h1>
37	<table>
38	<tbody>
39	EOH
40
41	my (%logs,%logsc) = $d->list();
42	for (sort keys %logs) {
43	$logsc{$_} = '*' x $logs{$_};
44	print <<EOH;
45	<tr>
46	<th nowrap>$_</th>
47	<td>($logs{$_})</td>
48	<td>$logsc{$_}</td>
49	</tr>
50	EOH
51	}
52	print <<EOH;
53	</tbody>
54	</table>
55
56	<h2>Note</h2>
57
58	<ul>
59	<li><a href="/admin/web-2001-08-10">Announce of 2001-08-10</a></li>
60	<li>All accesses from *.hinet.net (IP Address: 61.216.0.0 Network Mask: 255.248.0.0, IP Address: 61.224.0.0 Network Mask: 255.255.0.0; not only web) have been shut since 2001-08-10.</li>
61	<li>2001-08-16-06 - 2001-08-17-02 is not counted.</li>
62	<li>This does not count Code Red (I) worm since it causes 400 http error.</li>
63	<li>2001-08-25 +0900: Web server had been stoped some minites to maintenance. Atacks of those time are not logged.</li>
64
65	</ul>
66
67	<address>[<a href="/">/</a>]
68	[<a href="mailto:admin\@suika.fam.cx">Suika server administration group</a>,
69	<a href="mailto:webmaster\@suika.fam.cx">Web server administrator</a>]</address>
70	</body></html>
71	EOH
72	exit;
73	}
74
75	$d->up();
76
77	print STDOUT jcode::jis(<<EOH);
78	Content-Type: message/rfc822
79	Status: 403 I don't hope your attack.
80
81	From: webmaster\@suika.fam.cx
82	Message-id: <msg.20010807.default.ida\@suika.fam.cx>
83	Subject: 403 Forbidden
84	MIME-Version: 1.0
85	Content-Type: multipart/alternative; boundary="foobar"
86
87	--foobar
88	Content-Type: text/html
89	Content-Language: en
90
91	<!DOCTYPE html PUBLIC "-//SUIKA//DTD SUIKA HTML 1.00//EN">
92	<html lang="en">
93	<body>
94	<h1>Forbidden</h1>
95	<p>You don't have permission to access this resource.</p>
96	<address><a href="http://suika.fam.cx/admin/">The Watermeron Project</a>.</address>
97	</body>
98	</html>
99
100	--foobar
101	Content-Type: text/plain
102	Content-Language: ja
103
104	Itteyoshi.
105
106	--foobar
107	Content-Type: text/html
108	Content-Language: ja
109
110	<!DOCTYPE html PUBLIC "-//SUIKA//DTD SUIKA HTML 1.00//EN">
111	<html lang="en">
112	<body>
113	<h1>�¤äƤ褷</h1>
114	<p>��С��ޤ� the Internet ��̵��̣�ʾ��ή��ϸ��θ��</p>
115	<address><a href="mailto:admin\@suika.fam.cx">��ײ�</a>.</address>
116	</body>
117	</html>
118	--foobar--
119
120	EOH
121
122	exit if $Suika::CGI::param{test};
123
124	my $host = gethostbyaddr(pack('C4',split(/\./,$main::ENV{REMOTE_ADDR})),2)
125	\|\| '['.$main::ENV{REMOTE_ADDR}.']';
126
127
128	=pod
129
130	open M, '\| /usr/lib/sendmail -t -f suika.test.n@suika.fam.cx';
131
132	print M <<EOH;
133	From: "Suika Web server" <webmaster\@suika.fam.cx>
134	Sender: "default.ida" <webmaster\@suika.fam.cx>
135	To: "CodeRed infected Host Administrator" :
136	<security\@${host}>, <webmaster\@${host}>, <abuse\@${host}> ;
137	Bcc: (webmaster\@suika.fam.cx,) suika.test.n\@suika.fam.cx
138	Followup-To: suika.admin
139	Reply-to: "Suika Web server administrator" <webmaster\@suika.fam.cx>,
140	"Suika server administration group" <admin\@suika.fam.cx>
141	Subject: [Caution] CodeRed infection on '${host}': Automatic report
142	X-Priority: 1
143	X-MSMail-Priority: High
144
145	Dear ${host} administrator,
146
147	Your Microsoft IIS server (at $main::ENV{REMOTE_ADDR}) appears to have
148	been infected with a strain of the CodeRed worm. It attempted to spread
149	to our Web server, despite the fact that we run GNU/Linux and Apache (which
150	are immune).
151
152	You should immediately download the security patch from Microsoft, from
153	<http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/security/topics/codealrt.asp>.
154	You can also get information in Japanese from
155	<http://www.reasoning.org/jp/security_alerts/hashsa-2001-02.html>
156
157	And I also suggest that you never use Micro\$oft products
158	for server. It is very ill.
159
160	Regard,
161
162	Webmaster of the Suika server.
163
164	P.S. I attach some information of your request.
165
166	EOH
167
168	for (grep /(?:HTTP\|REMOTE\|REQUEST\|CONTENT\|QUERY)_/, keys %main::ENV) {
169	print M $_,":\t",$main::ENV{$_},"\n";
170	}
171
172	print M "\n(end)\n";
173
174	close M;
175
176	=cut
177
178	1;
179
180	=head1 LICENSE
181
182	Public Domain.
183
184	=head1 CHANGE
185
186	2001-08-25 wakaba <wakaba@suika.fam.cx>
187
188	* (Graph notice) Add about server down for maintenance.
189
190	2001-08-17 wakaba <wakaba@suika.fam.cx>
191
192	* (Graph) Add note.
193
194	2001-08-14 wakaba <wakaba@suika.fam.cx>
195
196	* (Log for graph): Logging w/ hour data.
197
198	2001-08-08 wakaba <wakaba@suika.fam.cx>
199
200	* Rewrite caution message.
201
202	2001-08-07 wakaba <wakaba@suika.fam.cx>
203
204	* default.ida.cgi: New file.
205
206	=head1 SEE ALSO
207
208	=over
209
210	=item Apache::CodeRed
211
212	<http://reuven.lerner.co.il/projects/>
213
214	=item Suika Server CodeRed Worm Log
215
216	<http://suika.fam.cx/default.ida?log=1>
217
218	=item Suika Server CodeRed Caution Mail Log
219
220	<news://suika.fam.cx/suika.test>
221
222	=back
223
224	=cut