#!/usr/local/bin/perl

=head1 NAME

Suika Server /default.ida

=head1 DESCRIPTION

Responds to CodeRed worm attacks with e-mail warnings.
(Human) user can see worm access log (graph).

=head1 ENCODING

This module is written in EUC-JP.

=cut

use Suika::CGI;
use Data::Count;
$| = 1;
  my (undef,undef,$hour,$day,$month,$year) = gmtime(time);
  $month++;  $year += 1900;
  my $d = Data::Count->open('/home/wakaba/public_html/private/warm200107.count', $year.'-'.sprintf('%02D',$month).'-'.sprintf('%02D',$day).'-'.sprintf('%02D',$hour));
  
  if ($Suika::CGI::param{log}) {
    print STDOUT <<EOH;
Content-Type: text/html
Content-Language: en

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en">
<head>
<title>log of http://$main::ENV{SERVER_NAME}/default.ida</title>
</head>
<body>
<h1>log of http://$main::ENV{SERVER_NAME}/default.ida (Date = GMT)</h1>
<table>
<tbody>
EOH
    
    my (%logs,%logsc) = $d->list();
    for (sort keys %logs) {
      $logsc{$_} = '*' x $logs{$_};
      print <<EOH;
<tr>
<th nowrap>$_</th>
<td>($logs{$_})</td>
<td>$logsc{$_}</td>
</tr>
EOH
    }
    print <<EOH;
</tbody>
</table>

<h2>Note</h2>

<ul>
	<li><a href="/admin/web-2001-08-10">Announce of 2001-08-10</a></li>
	<li>All accesses from *.hinet.net (IP Address: 61.216.0.0 Network Mask: 255.248.0.0, IP Address: 61.224.0.0 Network Mask: 255.255.0.0; not only web) have been shut since 2001-08-10.</li>
	<li>2001-08-16-06 - 2001-08-17-02 is not counted.</li>
	<li>This does not count Code Red (I) worm since it causes 400 http error.</li>
	<li>2001-08-25 +0900: Web server had been stoped some minites to maintenance.  Atacks of those time are not logged.</li>

</ul>

<address>[<a href="/">/</a>]
[<a href="mailto:admin\@suika.fam.cx">Suika server administration group</a>,
 <a href="mailto:webmaster\@suika.fam.cx">Web server administrator</a>]</address>
</body></html>
EOH
    exit;
  }
  
  $d->up();

print STDOUT jcode::jis(<<EOH);
Content-Type: message/rfc822
Status: 403 I don't hope your attack.

From: webmaster\@suika.fam.cx
Message-id: <msg.20010807.default.ida\@suika.fam.cx>
Subject: 403 Forbidden
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="foobar"

--foobar
Content-Type: text/html
Content-Language: en

<!DOCTYPE html PUBLIC "-//SUIKA//DTD SUIKA HTML 1.00//EN">
<html lang="en">
<body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
<address><a href="http://suika.fam.cx/admin/">The Watermeron Project</a>.</address>
</body>
</html>

--foobar
Content-Type: text/plain
Content-Language: ja

Itteyoshi.

--foobar
Content-Type: text/html
Content-Language: ja

<!DOCTYPE html PUBLIC "-//SUIKA//DTD SUIKA HTML 1.00//EN">
<html lang="en">
<body>
<h1>逝ってよし</h1>
<p>西瓜サーバーを含め the Internet に無意味な情報を流す事は御遠慮下さい。</p>
<address><a href="mailto:admin\@suika.fam.cx">西瓜計画</a>.</address>
</body>
</html>
--foobar--

EOH

exit if $Suika::CGI::param{test};

my $host = gethostbyaddr(pack('C4',split(/\./,$main::ENV{REMOTE_ADDR})),2)
        || '['.$main::ENV{REMOTE_ADDR}.']';


=pod

open M, '| /usr/lib/sendmail -t -f suika.test.n@suika.fam.cx';

print M <<EOH;
From: "Suika Web server" <webmaster\@suika.fam.cx>
Sender: "default.ida" <webmaster\@suika.fam.cx>
To: "CodeRed infected Host Administrator" :
    <security\@${host}>, <webmaster\@${host}>, <abuse\@${host}> ;
Bcc: (webmaster\@suika.fam.cx,) suika.test.n\@suika.fam.cx
Followup-To: suika.admin
Reply-to: "Suika Web server administrator" <webmaster\@suika.fam.cx>,
  "Suika server administration group" <admin\@suika.fam.cx>
Subject: [Caution] CodeRed infection on '${host}': Automatic report
X-Priority: 1
X-MSMail-Priority: High

Dear ${host} administrator,

    Your Microsoft IIS server (at $main::ENV{REMOTE_ADDR}) appears to have
been infected with a strain of the CodeRed worm.  It attempted to spread
to our Web server, despite the fact that we run GNU/Linux and Apache (which
are immune).

    You should immediately download the security patch from Microsoft, from
<http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/security/topics/codealrt.asp>.
    You can also get information in Japanese from
<http://www.reasoning.org/jp/security_alerts/hashsa-2001-02.html>

  And I also suggest that you never use Micro\$oft products
for server.  It is very ill.

Regard,

Webmaster of the Suika server.

P.S.  I attach some information of your request.

EOH

for (grep /(?:HTTP|REMOTE|REQUEST|CONTENT|QUERY)_/, keys %main::ENV) {
  print M $_,":\t",$main::ENV{$_},"\n";
}

print M "\n(end)\n";

close M;

=cut

1;

=head1 LICENSE

Public Domain.

=head1 CHANGE

2001-08-25  wakaba <wakaba@suika.fam.cx>

	* (Graph notice) Add about server down for maintenance.

2001-08-17  wakaba <wakaba@suika.fam.cx>

	* (Graph) Add note.

2001-08-14  wakaba <wakaba@suika.fam.cx>

	* (Log for graph): Logging w/ hour data.

2001-08-08  wakaba <wakaba@suika.fam.cx>

	* Rewrite caution message.

2001-08-07  wakaba <wakaba@suika.fam.cx>

	* default.ida.cgi:  New file.

=head1 SEE ALSO

=over

=item Apache::CodeRed

<http://reuven.lerner.co.il/projects/>

=item Suika Server CodeRed Worm Log

<http://suika.fam.cx/default.ida?log=1>

=item Suika Server CodeRed Caution Mail Log

<news://suika.fam.cx/suika.test>

=back

=cut