You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modperl@perl.apache.org by Mithun Bhattacharya <mi...@egurucool.com> on 2001/09/20 05:17:03 UTC
Re: New Micro$oft vulnerability?
Just a thought but why are we even bothering about doing a complete
response cycle for the probes ??? I mean nobody is actually going to
care what my server says is it ?? I was thinking more about closing
connection as soon as I figure out the URI. That way my server stays
more productive and my outgoing bandwidth is also saved to a extent.
Firstly I am not even sure how to terminate the response cycle at any
given stage if at all possible. Secondly if I am sure I dont have a
cmd.exe or root.exe to serve from my website should I still bother to
complete the cycle ??
Mithun
Re: New Micro$oft vulnerability?
Posted by Michael <mi...@bizsystems.com>.
> Just a thought but why are we even bothering about doing a complete
> response cycle for the probes ??? I mean nobody is actually going to
> care what my server says is it ?? I was thinking more about closing
> connection as soon as I figure out the URI. That way my server stays
> more productive and my outgoing bandwidth is also saved to a extent.
I've been following this thread for a while and have adapted the
various posts to build what I think is the minimal module to
eliminate the logging and terminate the response from apache asap.
This is very similar to Apache::Vermicide (thank you!))
The handler is inserted at the first point where apache
<location> directives can be used.
#########################################
# trap exploits of nimda & code-red compromised systems.
# version 1.06 9-20-01 michael@bizsystems.com
<perl>
{
package Apache::VirusLogZapper;
use Apache::Constants qw(:common :response);
my $ERRORLOG = 1;
sub handler {
my $r = shift;
if ($ERRORLOG) {
$r->uri =~ /(cmd\.exe|root\.exe|default\.ida)/;
$r->log_error(__PACKAGE__, ' ',
$r->get_remote_host, ' ' ,$1);
}
$r->push_handlers(PerlLogHandler => sub {return DONE});
return DONE;
}
}
</perl>
<LocationMatch (cmd.exe|root.exe|default.ida)>
SetHandler perl-script
PerlHeaderParserHandler Apache::VirusLogZapper
</LocationMatch>
#########################################
I put all this in a small include file called 'virus.pl' and include
it in the httpd.conf file with a single line
Include /usr/local/apache/conf/virus.pl
Michael
Michael@bizsystems.com