@(#)README.TXT for coderedscan.c v2.4 08/11/2001 Kirby Kuehl and Rob Thomas
@(#)kkuehl@cisco.com robt@cymru.com

coderedscanner version 2.x
Send all bug reports and suggestions to:
Kirby Kuehl - kkuehl@cisco.com

Extraction
	Unix Extraction:
	gzip -d coderedscan.tar.gz | tar xvf -

	Windows Extraction:
	Winzip

Compilation:
	The included Makefile should cover most versions of Solaris, Linux,
	and FreeBSD.  To build coderedscan, type:
	make
	
      	NOTE: If you would like a more verbose output add -DVERBOSE
	to the gcc options.

Usage:
	To scan a single host: ./coderedscan -h <ip address or hostname>
	To scan a range of hosts: ./coderedscan -s <starting ip> -e <ending ip>
	To scan a list of hosts from a text file: ./coderedscan -l <list.txt>
    To enable threaded scanning (multiple concurrent scans): -t <max.threads>
	To set the threads timeout (default of 15 seconds): -c <timeout in seconds>

Threads notes:
    The maximum number of concurrent threads is hard-coded to 255.  Giving
    an argument greater than 255 will yield a max_thread value of 255.  By
    default, the maximum number of threads is 1.  Be careful with threads
    when using them on a low end host - they can overwhelm the host.

	The default timeout for the threads is 15 seconds.  The timeout can
    not be set below five seconds.

What does codredscan do?

	1. Checks for open port 80 (http)
	2. Determines if port 80 is Microsoft IIS
  	   If Server is not Microsoft IIS scan for that host stops.
	3. Sends "GET
/x.ida?AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=X
HTTP/1.1\r\nHost: CiscoTest\r\n\r\n"

	  Depending upon response, you can tell if system is patched.
   	  Responses:
	  Patched: Error 0x80040e14 caught while processing query 
	  Unpatched: Error 0xc0000005 caught while processing query

	4. Checks for Variant 2 Backdoors:
   	   "GET /scripts/root.exe?/c+dir\r\n\r\n",
    	   "GET /msadc/root.exe?/c+dir\r\n\r\n",
           "GET /c/inetpub/scripts/root.exe?/c+dir\r\n\r\n",
           "GET /d/inetpub/scripts/cmd.exe?/c+dir\r\n\r\n"


Version 2.3:
	. Added POSIX threads support.
	. Added a Makefile.

Version 2.4:
	. Compensated for a possible threads issue in some Solaris 8
	  implementations.
	. Added additional check for IIS 4 servers.
	. Improved signal handling for the threads.  This included the
	  addition of pthread_detach() to avoid the lengthy TCP
	  connection attempt timeout.
	. Added -c <timeout in seconds> option so that a scan timeout
	  value could be easily set.  The default timeout is 15 seconds.
	. Added code to handle 404 error message from GET x.ida.
	. Testing, testing, testing.  :)

