Anti-Nimda/Code Red Auto-Emailer

The Nimda and Code Red worms really annoy the hell out of me. It puts about 10-15% more load on my servers and is caused by some slack half-witted fool who calls themselves a system administrator who cannot be bothered to fix their joke of an operating system…

Now I got **that** off my chest, this script will send an email to [email protected]their_domain explaining that they should fix their computer. Note that you will quite often get a lot of bounce-backs
because idiots who run unpatched servers are that same sort of idiots that don’t have common mailbox names as spelt out in RFC 2142.
The script will also send one email per worm attack, so they can quite often get lots of emails, perhaps they will fix their server and stop being a nuisance of The Internet then.

To use this you will need apache (most likely running on something that is not Windows NT), the mod_rewrite module for apache and php.

First you need a file. I called it nimda.php and put in at /var/www/nimda.php but it can go anywhere. You will need to do some editing, you can change the message to whatever you like.

Then edit apache configuration file to the following:

RewriteEngine On
RewriteRule ^(.*/winnt/.*) /var/www/nimda.php?url=$1
RewriteRule ^(.*/scripts/.*) /var/www/nimda.php?url=$1
RewriteRule ^(.*/Admin.dll) /var/www/nimda.php?url=$1
Alias /default.ida /var/www/nimda.php?url=default.ida

If that damn worm comes visiting, it should work out the domain the worm is from and email the postmaster there. Note that you will get a fair few bounced emails but I have had some success with this approach with people taking notice. I’m still getting about 100 worm visits a day per computer though 🙁

Linux load numbers

Many utilities, such as top in [procps](http://procps.sf.net/) display the percentages of time the cpu is busy doing things such as userland programs, system calls or just idle. This page describes the file /proc/stat and how programs interpret the numbers they find.

I am the [Debian](http://www.debian.org/ maintainer for procps which contains top. Often I get bug reports about those numbers that appear at the top of top (called the summary area) so hopefully it will
help Debian users understand it too.

##The /proc/stat file
The file /proc/stat file is where the cpu numbers come from. As I am typing this, my single Athlon cpu computer running Linux 2.6.15 had the first two lines of the file looking like:

$ grep ^cpu /proc/stat
cpu  217174 10002 105629 7692822 90422 6491 22673 0
cpu0 217174 10002 105629 7692822 90422 6491 22673 0

The first thing you can see is I have 1 cpu, as there is only the aggregate line (starting with cpu) and then one individual cpu line (showing cpu0). Each field is describing how much time the cpu is been in various states, the values are in jiffies (more about them later). From left to right, the values are:

* Userland – running normal programs
* Nice – running niced programs
* System – running processes at the system level, eg the kernel
* Idle – CPU is doing nothing (running idle task)
* IOwait – CPU is waiting for IO to come back
* irq – servicing a hardware interrupt
* softirq – servicing a software interrupt
* Steal – To do with virtual machines, this cpu is waiting for the others

##Jiffies
Quite often the kernel doesn’t count time in seconds, but counts them in a unit called jiffies. There is a concept of a value called Hz or Hertz which is the number of jiffies in a second. Happily for us, we’re only
looking at percentages, so it doesn’t really matter.