AVirCAP aka: CODE(red)Hunter V2.0 Public Release 09-30-2001
===========================================================


check for updates at http://www.romlist.com/codered

Purpose: 
========

This system is made to passive monitor of the network. It's looking for
certain GET activities issued to port 80 on the webservers. In this case it's
looking for CODE RED and NIMDA attacks. Although it's easy to modify the package to 
monitor for virtually whatever you want. It's just a matter of selection criterias. All
you need is some basic knowledge about regular expressions. 

The package itself is a complete webserver including PHP and MySQL. It's a VERY
powerfull package capable of doing virtually whatever you want. 

AVirCAP was previously known as Code(Red) Hunter. Although I decided to develop this
tool a bit further and a namechange was needed. 

Legal:
======

AVirCAP team takes no responsibility for ANY harm caused due to use of AVirCAP.
Use it at own risk!

Licence:
========

All software included in this package is copyrighted by their owners. 

You may include this package onto PC Magazines CD-ROM's or similar packages. But it is
forbidden to commercially make money on this package. It's released to be free and let
us have it that way. 

All I ask for is input about the package, please let me know if you use it. 

Package contents:
=================

AVirCAP concists of following components:

Apache 1.3.20
WinCron 1.0
PHP 4.0.6 
MySQL 3.23.32
AVirCAP 2.0

You are not able to install the components one by one. It's all or nothing :-) Although
you can download the source to AVirCAP from http://www.romlist.com/codered/downloadsrc.php


Installation:
=============

Run the avircap.exe to install. When installation is finnished from the programs menu 
chose "AVirCAP - Start AVirCAP". I recommend you move this into the AUTOSTART folder. 
Or install Apache as a service. 

A Dos window for Apache will apear. DO NOT close it.

Test the installation by surfing to 127.0.0.1 (localhost). A welcome screen should appear.


Click on the reports to try them.

*WARNING* with this packade i've included a sample access.log file containing CODERED and
NIMDA attack logs. If you want to get rid of it in the future. Just stop the apache service,
delete C:\redhunt\logs\access.log and restart the service again. 


Configuration:
=============

I strongly recommend that you take a look at C:\REDHUNT\HTDOCS\INFO.PHP. It contains quite
a lot of options for you to alter the configuration with. It's all documented in the comments.
Moste important variable to change is the IP-Adress for the FTP server (if you want to use
that feature) and the MAIL/NOMAIL aption.


Reporting:
==========

To access the reports connect with your webbrowser to the host's IP Address or to http://127.0.0.1
if its on the local machine. 

The system issues reports in a few ways. Either on screen, sent by ftp to another
server, email:ed to your email address and it's also stored in a local MySQL database which you
can access via ODBC or using the mysql client. The FTP and EMAIL options is great if you setup a 
big network of AVirCAP machines. 

You can aswell display on-screen reports in diffrent flavours as: "Detailed attack information
per host." This reports includes a subset of reports. 

By defult CRH is shipped with WinCRON. It's a CRON utility similar to the UN*X 
versions of it. The Cron is set up to run reports every 12:th hour. Although intervalls
can be changed by editing C:\REDHUNT\CRONTAB. Please refer to the WinCRON.HTML for 
more information. 

If you want to automate reporting using the 'AT' command from WINNT/2K or using
other kinds of task schedulers. Here's the commandline to use: (yeha you can run PHP from DOS!)

C:\REDHUNT\PHP\PHP -f C:\REDHUNT\HTDOCS\coderedreport.php

The reportformat

ref;datetime;hostip;type

ref = Is not displayed in onScreen and mail reports it's Null
datetime = well figure it :)
hostip = The IP Adress of the offensive host
type = Type 1 and 2 stands for CodeRed I and II. 3 and above is NIMDA types of attacks. 


Problems?:
==========

It's possible that APACHE will go crazy if you already have other applications listening
to port 80. Try to identify them and dissable them. Since CodeRedand Nimda ONLY strikes on
port 80 it's impossible to move this to another port. 

All relevant variables is listed in the debugwindow. (http://localhost). Pay attention to it.

I do personally run AVirCAP on a machine that runs a web-mail server on another
TCP/IP port. Although if you're not sure of what you're doing I recommend you to use
old obsolete computers for this purpose. 

In some cases when using Webproxies it's possible that you are re-directed to the wrong
address. In my case I was redirected to the corp Proxy administration. It's not a bug with
AVirCAP, more probably that proxy configuration.

Uninstall:
==========

Use the provided uninstall in the Program's menu. You can also use C:\REDHUNT\nsuninst.exe

Beware, when uninstalling it really deletes *EVERYTHING* that is inside the C:\REDHUNT folder.
Please make sure to backup files you maybe want to keep. 


History:
========

Ver 2.0
*RENAMED Code(Red) Hunter is nowmore known as AVir(us)CAP(turer)
*NEW Finds NIMDA typ of attacks
*NEW Detailed attack information per host is added. It includes DNS-lookup, Attacktyp and amount 
of attacks issued per host. 
*NEW Simplified Search routines. New viruses/attack types can be easily added.
*ADD More configurable Fileupload and Mailsend options.
*NEW Debug information is displayed in the index.php screen. (http://127.0.0.1/index.php)
*FIX A shameless bug which made FTP reports to cease working.
*UPGRADE Upgraded Apache into 1.3.20

Ver 1.5 
*NEW EMAIL support. You can have the reports mail:ed to you. (DONT forget you need to enable it)
*NEW CRON Support by using WINCRON by graysteel@erols.com 
*FIX Shortcuts fixed for Stop CODERED (Andreas Ott)
*FIX No File output when running nosql=true (Andreas Ott)
*FIX De-installation fix for Start CODERED in Startup folder. (It tried to launch
 a deleted program after reboot.). (MT)
*FIX Some small detail errors in this readme that was reffering to the internal release.

Ver 1.00 
*NEW First initial release 

Ver 0.99 
*NEW Released as a private beta. Distributed to IT Europe at my job. 
*NEW Added FTP Output reporting.

TODO:
=====

Anticipated for the future:

* faster search mechanism. 
* easy configuration.
* add a few more distributable reports.

contact:
========

fredrik@vinterbarn.com

icq: 2664489
