[70893] in North American Network Operators' Group
Re: What HTTP exploit?
daemon@ATHENA.MIT.EDU (Suresh Ramasubramanian)
Sun May 30 21:19:32 2004
Date: Mon, 31 May 2004 06:48:42 +0530
From: Suresh Ramasubramanian <suresh@outblaze.com>
To: Richard Welty <rwelty@averillpark.net>
Cc: nanog@merit.edu
In-Reply-To: <Mahogany-0.66.0-19261-20040530-195754.00@averillpark.net>
Errors-To: owner-nanog-outgoing@merit.edu
Richard Welty [30/05/04 19:57 -0400]:
> # control logging
> SetEnvIf Request_URI "^/default.ida?" dontlog
> SetEnvIf Request_Method "SEARCH" dontlog
Nathan Torkington's vermicide helps - (needs mod_perl)
srs
# this goes into your httpd.conf file
#
# the push_handlers line below prevents logging of worm requests
# remove that line if you want to know who's been contacting you
<Perl>
{
package Apache::Vermicide;
use Apache::Constants qw(:common :response);
sub handler {
my $r = shift;
if ($r->uri() =~ /root\.exe|cmd\.exe|default\.ida/i) {
$r->push_handlers(PerlLogHandler => sub { return BAD_REQUEST });
return BAD_REQUEST;
}
return DECLINED;
}
}
</Perl>
PerlPostReadRequestHandler Apache::Vermicide
