CODE(red)Hunt V1.5 Public Release 09-10-2001
=============================================

check for updates at http://codehunt.sourceforge.net

Purpose: 
========

This system is made to passive monitor of the network. It's looking for
certain GET activities issued to port 80 on the webservers. In this case it's
looking for CODE RED attacks. Although it's easy to modify the package to 
monitor for virtually whatever you want. It's just a matter of selection criterias. 

The package itself is a complete webserver including PHP and MySQL. It's a VERY
powerfull package capable of doing virtually whatever you want. 

Legal:
======

COED(red)Hunter team takes no responsibility for ANY harm caused due to use of CODE(red)
Hunter. Use it at own risk!

Licence:
========

All software included in this package is copyrighted by their owners. 

You may include this package onto PC Magazines CD-ROM's or similar packages. But it is
forbidden to commercially make money on this package. It's released to be free and let
us have it that way. 

All I ask for is input about the package, please let me know if you use it. 

Installation:
=============

Run the codehunt.exe. From the programs menu chose "CODEHUNT - Start CODEHUNT".
I recommend that you move this into the AUTOSTART folder. Or install Apache as a service. 

A Dos window for Apache will apear. DO NOT close it.

Test the installation by surfing to 127.0.0.1 (localhost). A welcome screen should appear.


Click on the reports to try them.

*WARNING* with this packade i've included a sample access.log file containing CODERED
attack logs. If you want to get rid of it in the future. Just stop the apache service,
delete C:\redhunt\logs\access.log and restart the service again. 


Configuration:
=============

I strongly recommend that you take a look at C:\REDHUNT\HTDOCS\INFO.PHP. It contains quite
a lot of options for you to alter the configuration with. It's all documented in the comments.
Moste important variable to change is the IP-Adress for the FTP server (if you want to use
that feature) and the MAIL/NOMAIL aption.


Reporting:
==========

CODE(Red) Hunter is very flexible with reporting. It currently supports On-Screen reporting,
FTP/File output reporting and send reports by e-mail. FTP output is ideal if you setup a big
network of CODE(Red) Hunt machines. 

To access the reports surf to the host's IP Address or to 127.0.0.1 if its on the local 
machine. 

The system issues reports in two ways. Either on screen or sent by ftp to another
server. The FTP option is great if you setup a big network of CODEHUNT machines. 

You can aswell display on-screen reports. 

By defult CRH is shipped with WinCRON. It's a CRON utility similar to the UN*X 
versions of it. The Cron is set up to run reports every 12:th hour. Although intervalls
can be changed by editing C:\REDHUNT\CRONTAB. Please refer to the WinCRON.HTML for 
more information.

If you want to automate reporting using the 'AT' command from WINNT/2K or using
other kinds of task schedulers. Here's the commandline to use: (yeha you can run PHP from DOS!)

C:\REDHUNT\PHP\PHP -f C:\REDHUNT\HTDOCS\coderedreport.php

The reportformat

ref;datetime;hostip;type

ref = Is not displayed in onScreen and mail reports it's Null
datetime = well figure it :)
hostip = The IP Adress of the offensive host
type = Type 1 and 2 stands for CodeRed I and II if you encounter a ZERO it's a unknown attack typ. 
you should investigate it a bit further. 


Problems?:
==========

It's possible that APACHE will go crazy if you already have other applications listening
to port 80. Try to identify them and dissable them. Since CodeRed ONLY strikes on
port 80 it's impossible to move this to another port. 

I do personally run Code(Red) Hunter on a machine that runs a web-mail server on another
TCP/IP port. Although if you're not sure of what you're doing I recommend you to use
old obsolete computers for this purpose Code(Red). 


Uninstall:
==========

Use the provided uninstall in the Program's menu. You can also use C:\REDHUNT\nsuninst.exe

Beware, when uninstalling it really deletes *EVERYTHING* that is inside the C:\REDHUNT folder.
Please make sure to backup files you maybe want to keep. 



History:
========

Ver 1.5 
*FIX Shortcuts fixed for Stop CODERED (Andreas Ott)
*FIX No File output when running nosql=true (Andreas Ott)
*FIX De-installation fix for Start CODERED in Startup folder. (It tried to launch
 a deleted program after reboot.). (MT)
*NEW CRON Support by using WINCRON by graysteel@erols.com 
*FIX Some small detail errors in this readme that was reffering to the internal release.
*NEW EMAIL support. You can have the reports mail:ed to you. (DONT forget you need to enable it)

Ver 1.00 
*NEW First initial release 

Ver 0.99 
*NEW Released as a private beta. Distributed to IT Europe at my job. 
*NEW Added FTP Output reporting.

TODO:
=====

Anticipated for the future:
* Better support for other kinds of attacks.
* e-mail reports. (you need access to SMTP server)
* faster search mechanism. 
* easy configuration


contact:
========

fredrik@vinterbarn.com

icq: 2664489
