nanog mailing list archives

Re: What HTTP exploit?

From: Suresh Ramasubramanian <suresh () outblaze com>
Date: Mon, 31 May 2004 06:48:42 +0530


Richard Welty [30/05/04 19:57 -0400]:

# control logging
SetEnvIf Request_URI "^/default.ida?" dontlog
SetEnvIf Request_Method "SEARCH" dontlog


Nathan Torkington's vermicide helps - (needs mod_perl)

        srs


# this goes into your httpd.conf file
#
# the push_handlers line below prevents logging of worm requests
# remove that line if you want to know who's been contacting you

<Perl>
{
  package Apache::Vermicide;
  use Apache::Constants qw(:common :response);
  sub handler {
    my $r = shift;

    if ($r->uri() =~ /root\.exe|cmd\.exe|default\.ida/i) {
        $r->push_handlers(PerlLogHandler => sub { return BAD_REQUEST });
        return BAD_REQUEST;
    }
    return DECLINED;
  }
}
</Perl>
PerlPostReadRequestHandler Apache::Vermicide

Current thread:

What HTTP exploit? John Palmer (NANOG Acct) (May 30)
- RE: What HTTP exploit? Todd Mitchell - lists (May 30)
- Re: What HTTP exploit? Matthew McGehrin (May 30)
- Re: What HTTP exploit? Richard Welty (May 30)
  - Re: What HTTP exploit? Suresh Ramasubramanian (May 30)
- <Possible follow-ups>
- Re: What HTTP exploit? Mike Nice (May 31)
  - Re: What HTTP exploit? Vinny Abello (May 31)
    - Re: What HTTP exploit? Laurence F. Sheldon, Jr. (May 31)
    - Re: What HTTP exploit? Paul G (May 31)
  - Re: What HTTP exploit? Bob Martin (May 31)
    - Re: What HTTP exploit? Jason Dixon (May 31)