home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Columbia Kermit
/
kermit.zip
/
archives
/
ckscripts.tar.gz
/
ckscripts.tar
/
codered
< prev
next >
Wrap
Text File
|
2001-09-19
|
3KB
|
69 lines
; c o d e r e d -- Absorb and log attacks on TCP Port 80.
;
; Works for any HTTP (TCP port 80) attack: Code Red, Nimba, etc.
; Requires privilege in UNIX but not in Windows, and also requires
; that no other process is listening on por 80.
;
; F. da Cruz, Columbia University, August 2001.
; Requires C-Kermit 8.0 Beta.03 or later or concurrent K95 version.
;
.truncate := 0 ; 1 = truncate log records at 79 cols.
.\%n = 0 ; Event count
.start := \fcvtdate() ; Start date-time
if < \v(version) 800200 exit 1 Fatal - C-Kermit 8.0 required.
define ON_CTRLC { ; Ctrl-C trap
echo Connections: \%n in \fdiffdate(now,\m(start))
}
if K-95 { ; K95: Appropriate window color
set command color white red
cls
}
set input echo off ; Input is logged to a file
set tcp reverse-dns off ; For accurate source reporting
while true {
echo "-----------------"
.stamp := \fcvtdate()
xecho \m(stamp)...
set host * 80 ; Wait for incoming HTTP connection
if fail {
echo Net Open Failure: \v(errstring)
if ( = \v(errno) 13 || = \v(errno) 48 ) exit 1
hangup
continue
}
clear input ; Capture the attack string
input 8 \10 ; (terminate at linefeed = ASCII 10)
increment \%n ; Count this probe
echo \flpad(\%n,4). \m(stamp): \v(line) ; Log to screen
if ( = 0 \fverify(0123456789.,\v(line)) ) { ; Have IP address
.addr := \v(line)
.name := \faddr2name(\m(addr)) ; Lookup name in DNS
} else { ; Have IP name
.name := \v(line)
.addr := \fname2addr(\m(name)) ; Get its address
}
hangup ; Close connection quickly
.record := \m(stamp): \m(name) [\m(addr)] "\ftrim(\v(input))"
if \m(truncate) if > \flen(\m(record)) 79 .record := \s(record[1:76]).."
set flag off
for \%i 1 3 1 { ; Write to log
fopen /append \%c codered.log ; It might be busy
if fail {
echo LOG APPEND FAILURE: \f_errmsg()
sleep \%i
continue
}
fwrite /line \%c \m(record)
if success set flag on
fclose \%c
if flag break
}
if not flag echo RECORD LOST: \m(record)
}