Nimda Notifyer 1.3

The Nimda Notifyer is a simple perl script which can be dropped into any cgi-enabled area on your web server. It will send an email to the netblock owner of whichever IP accesses it.

Requires Net::Whois::Raw, File::Cache, and LWP::UserAgent -- all can be obtained from CPAN by entering

# perl -MCPAN -e shell;

CPAN> install LWP::UserAgent
CPAN> install Net::Whois::Raw
CPAN> install File::Cache

from the command prompt (as root, if possible). If the listed modules are already installed, CPAN will ensure they're the latest available release.

Source here: nimda-notify.pl

Installation instructions:

  1. Download the source, and adjust configuration variables to suit your needs.
  2. Place the file in /MSADC/ on one of your websites on your network, it doesn't matter which one since this worm scans every IP, and you need only bother the admin once.
  3. Rename the script to root.exe
  4. Create a .htaccess file with the contents SetHandler cgi-script
  5. Hopefully this will be a wakeup call the the admins of these NT machines, and they will fix the problem.

If you would like to preview the email that would be sent out, just go to /MSADC/root.exe in your web browser. When a browser is detected, the script automatically goes in to debug mode and will not send any emails out or submit IPs anywhere. Or, if you want to play extra safe, just set $debug to 1.

You can send enhancements or suggestions to Trevor Peirce at trev@digitalcon.ca.

Enjoy!

Example email:


To: trev@digitalcon.ca From: Trevor Peirce <trev@digitalcon.ca> Subject: Nimda Detected - 208.181.80.124 Trevor Peirce, This is an automated email from www.digitalcon.ca. It appears as though you are listed as the coordinator for the netblock from which a Windows NT machine appears to have been infected with the Nimda worm. The IP address of the infected machine is 208.181.80.124. This was detected on Fri Sep 21 23:37:00 2001 GMT. Please either remove the worm or disconnect the machine from the Internet until you have the chance to do so. It is using up not only your bandwidth but everybody else's too. Here are a few links with information about this worm: http://www.sarc.com/avcenter/venc/data/w32.nimda.a@mm.html http://www.newsbytes.com/news/01/170225.html Thank you for your attention, Administrator of www.digitalcon.ca

a digital•conceptions design © 2001