[svlug] Testing for Code Red worm vulnerability

Alvin Oga alvin at planet.fef.com
Fri Jul 20 02:06:01 PDT 2001


hi ya john..

and if they are vulnerable...

they should upgrade to some form of patched *nix server... 
( sorry couldnt resist )

c ya
alvin

and yup... saw several hundred attempts on my various PCs...

> John Conover wrote:
> 
> FYI, in bugtraq, this PM, there was a cute 8 line shell script for
> testing NT/2K boxes for IIS Code Red vulnerability from a Linux box:
> 
>     #!/bin/sh
>     SIZE=1
>     export SIZE
> 
>     while [ $SIZE -lt 201 ]; do
>         BUFF="`perl -e 'print \"x\" x $ENV{SIZE}'`"
>         echo -e "GET /NULL.ida?$BUFF=X HTTP/1.1\nHost: iluvpaul\n\n" | nc host port
>         SIZE=`expr $SIZE + 1`
>     done
> 
> Returns:
> 
>     If response = "Error 0x80040e14 caught while processing query" the
>                   system is patched.
> 
>     If response = "The IDQ file NULL.ida could not be found." the system
>                   is not patched, and vulnerable.
> 
> A Unix/Linux/Apache box always returns the latter, which is OK.
> 




More information about the svlug mailing list