Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl-Sensitive Sunglasses

Virus Honey Pot

by ajt (Prior)
on Nov 06, 2001 at 16:38 UTC ( #123558=perlquestion: print w/replies, xml ) Need Help??

ajt has asked for the wisdom of the Perl Monks concerning the following question:

Yesterday my employer got hit hard with the Nimda-d Windows Virus. My machine was okay as it's AV was upto date, and I had patched IE to a higher level than the company official level.

As I run Apache not IIS on my dev (NT) box, it was the only server running during the morning long attack, the IT team had shut down or isolated all the NT servers. I was therefore the only person able to give them a list of known infected machines, by simply tailing my access logs - which proved more efficient that simply waiting for people to complain that their machine was sick.

This morning I'm writing a simple "honey pot" script to log any future Nimda or Code Red like activity. I've done all ths simple Apache stuff, so it triggers a PerlRun script on my NT box, logs the IP and such, but I was wondering what else I can do?

I'll add an email action to, but during the attack yesterday on of the first things to be switched off was the Exchange/SMTP servers, so email isn't going to do much...

Unlike the typical example I've seen before, (Apache::CodeRed), I know where all the machines are (on our intranet) and I know who to contact, but there may be no point in emailing as the server may be down, and our IT team may be too busy to respond anyway.

Basically I think I need two responses:

  • A first alert when something happens - possibly an email.
  • Logging of actvity, during an attack.

Anything else? Is a desktop alert worth trying?

Ironically I only use IE/outlook because I have to, in fact I've spent the last week arguing why Unix/Apache/Perl is better than NT/IIS/VB for the web project I'm working on - but that's another story...

As ever, very humble thanks in advance.

Replies are listed 'Best First'.
Re: Virus Honey Pot
by Corion (Patriarch) on Nov 06, 2001 at 17:12 UTC
    As email is already out, there are just two things you can do with your database of infected machines (you are putting all the IP addresses into a flat text file or database, right ?):
    • Automatically print out a sheet of paper with the name, IP address of the machine and INFECTED in large unfriendly letters on it, preferably on a printer near the infected machine, whenever a new machine is added to the database. Put that paper over the keyboard of that machine.
    • Make your machine and the database web-accessible so people can have a quick overview on which machines are (still) infected.
    perl -MHTTP::Daemon -MHTTP::Response -MLWP::Simple -e ' ; # The $d = new HTTP::Daemon and fork and getprint $d->url and exit;#spider ($c = $d->accept())->get_request(); $c->send_response( new #in the HTTP::Response(200,$_,$_,qq(Just another Perl hacker\n))); ' # web
Re: Virus Honey Pot
by Biker (Priest) on Nov 06, 2001 at 18:47 UTC

    Run a small dedicated SMTP server, and then:

    • Alert on a pager?
    • SMS to a mobile phone?
    • Use X10 to turn on or off the lights, sounds (the fire alarm would be a nice but bad idea ;-) or whatever have you?

    f--k the world!!!!
    /dev/world has reached maximal mount count, check forced.

      Sending a text message to a mobile phone at the first sign of trouble is very, very easy, and doesn't require email. Most of the mobile services that support text messaging have a web interface that you can POST to from a Perl script. (This is also an easy way to WOW management on Perl.)

      Consult the LWP documentation for sample form-posting code, or search the Monastary for examples. (I found one here that shows how to send a message via Sprint PCS.)

Re: Virus Honey Pot
by scottstef (Curate) on Nov 06, 2001 at 19:44 UTC
    I know this is off topic, but there is a Labrea Tarpit It is written in C but it apparently will capture an infected connection and hold it, trying to prevent the spread of the virus.

    "The social dynamics of the net are a direct consequence of the fact that nobody has yet developed a Remote Strangulation Protocol." -- Larry Wall

Re: Virus Honey Pot
by rchiav (Deacon) on Nov 06, 2001 at 20:05 UTC
    Also a little off topic, but I'm really shocked that your administrators didn't do anything before this to protect the network. Granted, it's a pain, but when these holes became public knoledge, every server should have been upgraded, and every client should have had their browser upgraded. I know that some companies don't see the benifit of dedicating resources to this, but as they've now seen, the penalty for non compliance is pretty large.

    As far as the Exchange servers, they could have bee set up beforehand to strip off the offending attachments.

    As for your question, I'd send an email and a "net send" to a couple people.

    But as in most cases, the real solution is prevention. Not that it's your responsibility, but being an NT sys admin, it seems negligent that steps wern't taken to protect things before this.


Log In?

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: perlquestion [id://123558]
Approved by root
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others surveying the Monastery: (2)
As of 2022-09-28 18:33 GMT
Find Nodes?
    Voting Booth?
    I prefer my indexes to start at:

    Results (124 votes). Check out past polls.