Virus or Not?
David Nicol
nicold at umkc.edu
Wed Dec 5 20:54:01 CST 2001
Gerald Combs wrote:
>
> The packet is a plain vanilla TCP SYN packet. I'd assume it's benign, but
> the only way to be sure would be to temporarily spin up a web server on
> the interal interface so that the HTTP connection can complete, and
> capture it.
A web server is overkill. A simple program to listen at the socket
and save whatever arrives to a file would do. Something like faucet
from the netpipes package, or write a simple server based on the
examples in perldoc perlipc.
#!/usr/bin/perl -Tw
use strict;
use Socket;
use Carp;
my $EOL = "015012";
sub logmsg { print "$0 $$: @_ at ", scalar localtime, "n" }
my $port = 80;
my $proto = getprotobyname('tcp');
socket(Server, PF_INET, SOCK_STREAM, $proto) || die "socket: $!";
setsockopt(Server, SOL_SOCKET, SO_REUSEADDR,
pack("l", 1)) || die "setsockopt: $!";
bind(Server, sockaddr_in($port, INADDR_ANY)) || die "bind: $!";
listen(Server,SOMAXCONN) || die "listen: $!";
logmsg "server started on port $port";
my $paddr;
$SIG{CHLD} = &REAPER;
for ( ; $paddr = accept(Client,Server); close Client) {
my($port,$iaddr) = sockaddr_in($paddr);
my $name = gethostbyaddr($iaddr,AF_INET);
logmsg "connection from $name [",
inet_ntoa($iaddr), "]
at port $port";
while(<Server>){print "$_n"};
print Client "Content-Type text/nonsense${EOL}",
"${EOL}jsgl;kjg;uhiubas${EOL}";
close Server, Client;
}
More information about the Kclug
mailing list