Re: Tool released to scan for possible CodeRed infected servers

[H D Moore <hdm () secureaustin com>]

Here is a quick little perl script, it only checks one host at a time. 

http://www.digitaloffense.net/ida_overflow.pl

If you want to check a network range, try the following:
# nmap -sS -p 80 -n -PS80 -oM - <ip range> | grep 80/open | awk '{print $2}' | xargs -i perl ida_overflow.pl -h {}

If you want to check a range of SSL servers:
# nmap -sS -p 443 -n -PS443 -oM - <ip range> | grep 443/open | awk '{print $2}' | xargs -i perl ida_overflow.pl -h {} 
-s -p 443

-HD

P.S. This script uses libwhisker

On Friday 20 July 2001 09:43 pm, tom ring wrote:
> Thanks for your efforts.
>
> Will there be a unix source version available?  I won't bother to explain
> why I'd rather have that.
> \
> tom
>
> On 20 Jul 2001, at 16:27, Marc Maiffret wrote:
> > In an effort to help administrators find all systems within their network
> > that are vulnerable to the .ida buffer overflow attack, which the "Code
> > Red" worm is using to spread itself, we have decided to release a free
> > tool named CodeRed Scanner. It can scan a range of IP addresses and
> > report back any IP addresses which are vulnerable to the .ida attack, and
> > susceptible to the "Code Red" worm.
>
> ------
> Tom Ring WA2PHW  EN34
> tar () real-time com
>
> "It is better to go into a turn slow, and come out fast, than to go into a
> turn fast and come out dead."