You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modperl@perl.apache.org by David Young <dy...@nettonettech.com> on 2001/10/29 06:10:21 UTC
[OT] Nimda, etc (was: New mod_perl hacker wannabe . . .)
FWIW, Apache::CodeRed seemed like a good idea for a while, and then Nimbda
showed up, and it was apparent no one was actually doing anything about the
infected machines. I got sick of the notifications and the junk in my error
log, so I resorted to this handler:
<LocationMatch "\.(ida|exe)$">
SetHandler perl-script
PerlHandler "sub { return OK; }"
</LocationMatch>
> From: "John Michael" <jo...@acadiacom.net>
> Date: Sun, 28 Oct 2001 20:27:03 -0600
> To: <mo...@apache.org>
> Subject: Re: New mod_perl hacker wannabe . . .
>
> My server is constantly getting scanned by various hacking robots. I will
> get hundreds of these a day or more sometimes.
>
> [Sun Oct 28 18:51:00 2001] [error] [client 64.81.175.236] File does not
> exist: /home/usr1/digital/html/scripts/root.exe
> [Sun Oct 28 18:51:01 2001] [error] [client 64.81.175.236] File does not
> exist: /home/usr1/digital/html/MSADC/root.exe
> [Sun Oct 28 19:28:29 2001] [error] [client 64.81.41.2] File does not exist:
> /home/usr1/digital/html/scripts/root.exe
Re: [OT] Nimda, etc (was: New mod_perl hacker wannabe . . .)
Posted by Stas Bekman <st...@stason.org>.
John Michael wrote:
> I tried
> PerlPostReadRequestHandler Apache::DONE
> and apache would not start
>
> I changed it to:
> <LocationMatch "\.(ida|exe)$">
> SetHandler perl-script
> PerlInitHandler Apache::DONE
> </LocationMatch>
>
> Apache then started
> And it looks for the module DONE.pm
My bad, should have tested and not send things off my head :(
Try this:
PerlModule Apache::Constants
<LocationMatch "\.(ida|exe)$">
SetHandler perl-script
PerlInitHandler Apache::Constants::DONE
</LocationMatch>
% HEAD http://127.0.0.1:8000/foo.exe
500 unexpected EOF before status line seen
Client-Date: Mon, 29 Oct 2001 06:48:10 GMT
_____________________________________________________________________
Stas Bekman JAm_pH -- Just Another mod_perl Hacker
http://stason.org/ mod_perl Guide http://perl.apache.org/guide
mailto:stas@stason.org http://ticketmaster.com http://apacheweek.com
http://singlesheaven.com http://perl.apache.org http://perlmonth.com/
Re: [OT] Nimda, etc (was: New mod_perl hacker wannabe . . .)
Posted by John Michael <jo...@acadiacom.net>.
I tried
PerlPostReadRequestHandler Apache::DONE
and apache would not start
I changed it to:
<LocationMatch "\.(ida|exe)$">
SetHandler perl-script
PerlInitHandler Apache::DONE
</LocationMatch>
Apache then started
And it looks for the module DONE.pm
So I guess you have to write the module for it to work.
I then changed it to:
<LocationMatch "\.(ida|exe)$">
SetHandler perl-script
PerlInitHandler "sub { return OK; }"
</LocationMatch>
and got this in the error log.
Argument "OK" isn't numeric. => tried changeing it from OK to 200 and
still did not work.
It did get rid of the file not found error.
So I changed the OK to 200 in this version and it does work.
<LocationMatch "\.(ida|exe)$">
SetHandler perl-script
PerlHandler "sub { return 200; }"
</LocationMatch>
I'm guessing this is because apache::constants have not been loaded at this
point.
Thanks
JM
> David Young wrote:
>
> > FWIW, Apache::CodeRed seemed like a good idea for a while, and then
Nimbda
> > showed up, and it was apparent no one was actually doing anything about
the
> > infected machines. I got sick of the notifications and the junk in my
error
> > log, so I resorted to this handler:
> >
> > <LocationMatch "\.(ida|exe)$">
> > SetHandler perl-script
> > PerlHandler "sub { return OK; }"
> > </LocationMatch>
>
>
> And the most effective would be to use PerlPostReadRequestHandler
> (or PerlInitHandler, which is an alias to PerlPostReadRequestHandler)
>
> <LocationMatch "\.(ida|exe)$">
> SetHandler perl-script
>
> PerlPostReadRequestHandler Apache::DONE
>
> </LocationMatch>
>
> since it returns at the earliest possible request phase. And you don't
> need the sub {}, just Apache::* will do.
>
> Apache::DONE tells Apache to immediately jumps out of the request
> loop, log the transaction and close the client connection. This is
> one way to halt the transaction without generating an error status.
>
> _____________________________________________________________________
> Stas Bekman JAm_pH -- Just Another mod_perl Hacker
> http://stason.org/ mod_perl Guide http://perl.apache.org/guide
> mailto:stas@stason.org http://ticketmaster.com http://apacheweek.com
> http://singlesheaven.com http://perl.apache.org http://perlmonth.com/
>
Re: [OT] Nimda, etc (was: New mod_perl hacker wannabe . . .)
Posted by John Michael <jo...@acadiacom.net>.
<LocationMatch "\.(ida|exe)$">
SetHandler perl-script
PerlPostReadRequestHandler Apache::DONE
</LocationMatch>
I tried adding the above code to my perl.conf file. and got this error on
restart.
Syntax error on line 31 of /etc/httpd/conf/conf/perl.conf:
PerlPostReadRequestHandler not allowed here
JM
----- Original Message -----
From: "Stas Bekman" <st...@stason.org>
To: "David Young" <dy...@nettonettech.com>
Cc: <mo...@apache.org>
Sent: Sunday, October 28, 2001 11:45 PM
Subject: Re: [OT] Nimda, etc (was: New mod_perl hacker wannabe . . .)
> David Young wrote:
>
> > FWIW, Apache::CodeRed seemed like a good idea for a while, and then
Nimbda
> > showed up, and it was apparent no one was actually doing anything about
the
> > infected machines. I got sick of the notifications and the junk in my
error
> > log, so I resorted to this handler:
> >
> > <LocationMatch "\.(ida|exe)$">
> > SetHandler perl-script
> > PerlHandler "sub { return OK; }"
> > </LocationMatch>
>
>
> And the most effective would be to use PerlPostReadRequestHandler
> (or PerlInitHandler, which is an alias to PerlPostReadRequestHandler)
>
> <LocationMatch "\.(ida|exe)$">
> SetHandler perl-script
>
> PerlPostReadRequestHandler Apache::DONE
>
> </LocationMatch>
>
> since it returns at the earliest possible request phase. And you don't
> need the sub {}, just Apache::* will do.
>
> Apache::DONE tells Apache to immediately jumps out of the request
> loop, log the transaction and close the client connection. This is
> one way to halt the transaction without generating an error status.
>
> _____________________________________________________________________
> Stas Bekman JAm_pH -- Just Another mod_perl Hacker
> http://stason.org/ mod_perl Guide http://perl.apache.org/guide
> mailto:stas@stason.org http://ticketmaster.com http://apacheweek.com
> http://singlesheaven.com http://perl.apache.org http://perlmonth.com/
>
Re: [OT] Nimda, etc (was: New mod_perl hacker wannabe . . .)
Posted by Stas Bekman <st...@stason.org>.
David Young wrote:
> FWIW, Apache::CodeRed seemed like a good idea for a while, and then Nimbda
> showed up, and it was apparent no one was actually doing anything about the
> infected machines. I got sick of the notifications and the junk in my error
> log, so I resorted to this handler:
>
> <LocationMatch "\.(ida|exe)$">
> SetHandler perl-script
> PerlHandler "sub { return OK; }"
> </LocationMatch>
And the most effective would be to use PerlPostReadRequestHandler
(or PerlInitHandler, which is an alias to PerlPostReadRequestHandler)
<LocationMatch "\.(ida|exe)$">
SetHandler perl-script
PerlPostReadRequestHandler Apache::DONE
</LocationMatch>
since it returns at the earliest possible request phase. And you don't
need the sub {}, just Apache::* will do.
Apache::DONE tells Apache to immediately jumps out of the request
loop, log the transaction and close the client connection. This is
one way to halt the transaction without generating an error status.
_____________________________________________________________________
Stas Bekman JAm_pH -- Just Another mod_perl Hacker
http://stason.org/ mod_perl Guide http://perl.apache.org/guide
mailto:stas@stason.org http://ticketmaster.com http://apacheweek.com
http://singlesheaven.com http://perl.apache.org http://perlmonth.com/