The Nimda and Code Red worms really annoy the hell out of me. It puts about 10-15% more load on my servers and is caused by some slack half-witted fool who calls themselves a system administrator who cannot be bothered to fix their joke of an operating system…
Now I got **that** off my chest, this script will send an email to [email protected]their_domain explaining that they should fix their computer. Note that you will quite often get a lot of bounce-backs
because idiots who run unpatched servers are that same sort of idiots that don’t have common mailbox names as spelt out in RFC 2142.
The script will also send one email per worm attack, so they can quite often get lots of emails, perhaps they will fix their server and stop being a nuisance of The Internet then.
To use this you will need apache (most likely running on something that is not Windows NT), the mod_rewrite module for apache and php.
First you need a file. I called it nimda.php and put in at /var/www/nimda.php but it can go anywhere. You will need to do some editing, you can change the message to whatever you like.
Then edit apache configuration file to the following:
RewriteEngine On RewriteRule ^(.*/winnt/.*) /var/www/nimda.php?url=$1 RewriteRule ^(.*/scripts/.*) /var/www/nimda.php?url=$1 RewriteRule ^(.*/Admin.dll) /var/www/nimda.php?url=$1 Alias /default.ida /var/www/nimda.php?url=default.ida
If that damn worm comes visiting, it should work out the domain the worm is from and email the postmaster there. Note that you will get a fair few bounced emails but I have had some success with this approach with people taking notice. I’m still getting about 100 worm visits a day per computer though 🙁