Screaming Penguin

Code Red is a pain even for Apache administrators. It takes up time and space even to send a 404. Wouldn't it be nice to be able to help alleviate the problem rather than just trying to bear it? Countermeasures? You bet, here's how to do it with PHP and bash (and note that this could easily be adapted to whatever you regularly employ, perl, jsp, etc.) The following is an explanation of the solution with source code and explicit instructions included below (PHP and bash). First off let me explain the premise. My goals are not to be malicious and to waste even more space and time dealing with the problem (ie, don't kill the offending server and the solution needs to have less overhead than a 404 or it there is no sense in doing it). I use PHP regularly so I decided to employ it again in this case to catch the "default.ida" requests (which for the uninitiated are what CodeRed requests) and then pass them to a shell script to "deal" with them (again, this could be done with any server side language). This first part is trivial. Simply edit the apache httpd.conf file to add a type (AddType) for the .ida files to establish this extension as a php mime type alias. Here is an example:

• AddType application/x-httpd-php .ida

That starts PHP accepting the .ida files. Now create the aforementioned "default.ida" file that CodeRed so enthusiastically requests. Within that file, now a PHP script in my case, record the IP address of the request (the offending CodeRed host). Then store that IP address in a file for later use by a shell script. This is really easy to do (it's a tad bit more involved than is explained here, the file needs to not have duplicate addresses, permissions need to be set, etc, but it still qualifies as easy). Once the file is there and is being updated by a web server script (PHP) to record offending IP addresses, then the next step is that that file need simply be parsed by a shell script to block the offenders. In my case, I prefer just to use ipchains and DENY any future requests from those hosts at that level (ipfilter could also be used very easily). This approach is not malicious (as the goals state) and is exponentially beneficial as more offending hosts are added requests from those hosts obviously never make it to the webserver again (and this satisfies the second goal, less effort than a 404). This shell script is also fairly simple. It parses the aforementioned offending hosts file and adds an ipchains INPUT rule to deny any future requests from those hosts. This script also does a little housework in that it deletes, recreates and sets permissions on the offending hosts file. The final part in the countermeasure is to automate the parsing of the file via the shell script. This is simply done with cron. It's again easy to setup and tell the file to run once every hour (or whatever interval you choose). This way your webserver is automatically recording the IP addresses of the offenders to a file and your server is automatically running a shell script that blocks the offending hosts. This works well, I have employed it for some time and CodeRed requests do still come in but they have certainly diminished a great deal (and yes, this is due in part to other sysadmins cleaning up the CodeRed messes, but also to the fact that offending hosts keep offending and each one that is removed shall never strike again). Also note that YES, as you may have observed, this countermeasure does drop access from the offending hosts to your webserver permanently. You may choose to reset this and re-allow access at some point in the future (very easy to do with ipchains), but personally I dont worry too much about that. The offending IPs are Microsoft webservers and while they could also be used as someone's workstations, I am not really troubled by stopping their access to my webserver altogether. After all, the benefit of performance for all the non offending users far outweighs the access rights of the offenders themselves (IMHO). USE AT YOUR OWN RISK, No WARRANTY, BLAH BLAH BLAH UPDATE: Several observant readers have pointed out in the phorum that you could do this without PHP. The requests are also logged in the apache error log and you could simply parse that. Those are valid points and certainly worth consideration. I chose PHP because it was easy and gets the job done adequately. Its true that a simple shell script (especially the "one liner" in the phorum) would be more efficient since PHP would not even have to be invoked. ALSO Be advised that when using this setup (either way, PHP or not) a DoS attack is possible if the source address is spoofed. Make sure that the variable used to determine the source address really is the source address (that way DoS attackers can only eliminate themselves, and personally, I am OK with that). Do this by ensuring that by the time a packet hits your webserver its source is not spoofed (see ipchains howto, or whatever your firewall is, to setup ip spoofing protection). Source Code (also available as tar download via link) PHP script (default.ida) # copyLeft totsp.com # charlie collins # temple of the screaming penguin # http://screaming-penguin.com # 08.15.2001 # this is a script to record the ip addresses of CodeRed offenders to a file # (actually this script gets all requests for 'default.ida', legitimate or not) # this PHP file is intended to be used in CONJUNCTION with a shell script and cron job # # the shell script then reads the ip addresses from the file and drops them via ipchains (and deletes and recreates the file) # the idea here is that php listens in the default.ida file and records the ip address of hosts that request it to a file # then a shell script reads the recorded ip addresses from said file and drops any future requests using ipchains # a cron job is used to call the shell script periodically # REQUIRED COMPONENTS # default.ida, PHP script to record ip addresses of those requesting it (THIS FILE) # coderedhosts.txt, file used by this script to store ip addresses # killCodeRed.sh, bash script to process the file with ip addresses, drop using ipchains and delete + recreate file # SETUP INSTRUCTIONS *** # the entire process requires 6 parts to setup (and uses php, bash, ipchains and cron, could easily be adapted to other stuff, ie netfilter) # 1 - modify httpd.conf so that .ida files are processed by PHP (AddType application/x-httpd-php .ida) AND restart apache # 2 - install this file in the apache docroot, make sure it is named 'default.ida' # 3 - install accompanying bash shell script 'killCodeRed.sh' (preferably NOT in the docroot, wherever you want) and ensure root user has x perms # 4 - set variables in 'killCodeRed.sh' to match machine stuff (EXTERNAL_ADDRESS, IPCHAINS, etc) # 5 - as root RUN the ./killCodeRed.sh script once BEFORE proceeding (it deletes the coderedhosts.txt file if present and recreates it) # 6 - add cron job to run killCodeRed.sh at desired interval (hourly, etc) (see the cron man pages for cron help) ## SECURITY NOTES # run the webserver as a non priveleged user (duh), ie nobody # do NOT grant PHP permissions to CREATE files in the docroot (the killCodeRed.sh script will create the file, dont let PHP do it) # make sure that the web server user can WRITE to the coderedhosts.txt file (that file only, and again, not the entire DIR) # this is just present to test this file and make sure it flies and send something to response echo "remote address = $REMOTE_ADDR"; # define the file $codeRedHostsFile = "/usr/local/apache/htdocs/coderedhosts.txt"; #edit to match apache docroot # open the file for read(permissions must obviously be correct) $fp = fopen($codeRedHostsFile, "r"); # then check to file to make sure this host is not already in it $stringCodeRedHostsFile = fread($fp, filesize($codeRedHostsFile)); if(!ereg("$REMOTE_ADDR",$stringCodeRedHostsFile)) { # if the host is not in it, the reopen the file, pointer at the end, and write to it $fp = fopen($codeRedHostsFile, "a"); fwrite($fp, "$REMOTE_ADDR \n"); } # close the file fclose($fp); ?> BASH script (killCodeRed.sh) #!/bin/bash # killCodeRed.sh # # copyleft totsp 2001 # charlie collins # temple of the screaming penguin # http://screaming-penguin.com # this script is used in CONJUNCTION with a file of ip addresses # the ip addressed represent hosts known to be infected with codeRed # this script then drops connectivity to those hosts via ipchains # (the file of ip addresses can be automatically generated, ie PHP, perl, etc ) # setup ultra simple vars (CUSTOMIZE HERE) EXTERNAL_INTERFACE="ethX" # you must edit this CODEREDHOSTSFILE="/usr/local/apache/htdocs/coderedhosts.txt" #edit this as required (if apache docroot is different) IPCHAINS="/sbin/ipchains" GREP_PARAM="^[[:digit:]]*\.[[:digit:]]*\.[[:digit:]]*\.[[:digit:]]*" FILEOWNER="nobody" # edit this to match webserver user # parse the file for i in $( grep $GREP_PARAM $CODEREDHOSTSFILE ) do echo "Deny access to host: $i" $IPCHAINS -A input -i $EXTERNAL_INTERFACE -s $i -j DENY done # then remove, recreate and set perms on file # this is to keep the file lean and still ensure that it DOES exist rm -rf $CODEREDHOSTSFILE >$CODEREDHOSTSFILE chown $FILEOWNER $CODEREDHOSTSFILE chmod u+w $CODEREDHOSTSFILE   codeRedKiller