[svlug] Testing for Code Red worm vulnerability

John Conover conover at rahul.net
Fri Jul 20 00:29:02 PDT 2001


FYI, in bugtraq, this PM, there was a cute 8 line shell script for
testing NT/2K boxes for IIS Code Red vulnerability from a Linux box:

    #!/bin/sh
    SIZE=1
    export SIZE

    while [ $SIZE -lt 201 ]; do
        BUFF="`perl -e 'print \"x\" x $ENV{SIZE}'`"
        echo -e "GET /NULL.ida?$BUFF=X HTTP/1.1\nHost: iluvpaul\n\n" | nc host port
        SIZE=`expr $SIZE + 1`
    done

Returns:

    If response = "Error 0x80040e14 caught while processing query" the
                  system is patched.

    If response = "The IDQ file NULL.ida could not be found." the system
                  is not patched, and vulnerable.

A Unix/Linux/Apache box always returns the latter, which is OK.

        John

-- 

John Conover        Tel. 408.370.2688  conover at rahul.net
631 Lamont Ct.      Fax. 408.379.9602  http://www.johncon.com/
Campbell, CA 95008  Cel. 408.772.7733  





More information about the svlug mailing list