CodeRed worm honeypot & reverse-tester (in Java)

[Chad Loder <cloder () acm org>]

For shits and giggles, I whipped up a
little Java program that serves two functions:

        - when invoked with a single argument,
        it connects to that host on port 80,
        issues an IDQ-style request according
        to Chris St. Clair's recently posted
        testing methodology (only tested on IIS/5.0),
        and tells you if the server appears to
        be vulnerable or not

        for example:

        $ javac CodeRedLogger.java
        $ java CodeRedLogger infected.system.com

        - when invoked with no arguments, it
        turns into a little multithreaded
        web server on port 80, which for
        each client connect, sees if the client
        sends the attack signature, and if
        so, connects back to the client on port
        80 and performs the test mentioned above

        for example:

        $ javac CodeRedLogger.java
        $ java CodeRedLogger
        (sit back and wait)

I just wrote this off the top of my head and
tested it on a few servers.

Maybe someone wants to modify the tests
to handle IIS 4.0 servers. :)

The typical disclaimer for exploit code applies:
don't use it unless you're allowed to.

I wouldn't run this on a public server, and I
certainly wouldn't try to reverse-connect and
inject the lyseine deficiency via shellcode
(although I bet it would be easy). :)

I also would not recommend trying to do a WHOIS or
trying to send email to the server's sysadmin, because
that could just burden the infected systems even more.

Again, I just wrote it for shits and giggles. I
redirected port 80 on my firewall at home to go
to my home PC, and then have been running it on my
home PC, so I can watch worm requests come in
through my cable modem. :)

I've compiled and tested this under Sun JDK 1.2,
it should work on any 1.2 and later JDK.

        Chad Loder
        Principal Engineer
        Rapid 7, Inc.
        http://www.rapid7.com

Attachment: CodeRedLogger.java
Description: