Nimda
Notifyer 1.3
The
Nimda Notifyer is a simple perl script which can be dropped into
any cgi-enabled area on your web server. It will send an email
to the netblock owner of whichever IP accesses it.
Requires
Net::Whois::Raw , File::Cache , and LWP::UserAgent
-- all can be obtained from CPAN by entering
#
perl -MCPAN -e shell;
CPAN> install LWP::UserAgent
CPAN> install Net::Whois::Raw
CPAN> install File::Cache
from
the command prompt (as root, if possible). If the listed modules
are already installed, CPAN will ensure they're the latest available
release.
-
Download the source, and adjust configuration variables to suit
your needs.
- Place
the file in
/MSADC/ on one of your websites on your
network, it doesn't matter which one since this worm scans every
IP, and you need only bother the admin once.
- Rename
the script to
root.exe
- Create
a
.htaccess file with the contents SetHandler
cgi-script
- Hopefully
this will be a wakeup call the the admins of these NT machines,
and they will fix the problem.
If
you would like to preview the email that would be sent out, just
go to /MSADC/root.exe in your web browser. When a browser
is detected, the script automatically goes in to debug mode and
will not send any emails out or submit IPs anywhere. Or,
if you want to play extra safe, just set $debug to
1 .
You
can send enhancements or suggestions to Trevor Peirce at trev@digitalcon.ca.
Enjoy!
Example
email:
To: trev@digitalcon.ca
From: Trevor Peirce <trev@digitalcon.ca>
Subject: Nimda Detected - 208.181.80.124
Trevor Peirce,
This is an automated email from www.digitalcon.ca. It appears
as though you are listed as the coordinator for the netblock from
which a Windows NT machine appears to have been infected with the
Nimda worm.
The IP address of the infected machine is 208.181.80.124. This
was detected on Fri Sep 21 23:37:00 2001 GMT. Please either remove
the worm or disconnect the machine from the Internet until you have
the chance to do so. It is using up not only your bandwidth but
everybody else's too.
Here are a few links with information about this worm:
http://www.sarc.com/avcenter/venc/data/w32.nimda.a@mm.html
http://www.newsbytes.com/news/01/170225.html
Thank you for your attention,
Administrator of www.digitalcon.ca
a
digitalconceptions design © 2001
|