Re: What HTTP exploit?

• From: Suresh Ramasubramanian
• Date: Sun May 30 21:21:20 2004

Richard Welty [30/05/04 19:57 -0400]:
> # control logging
> SetEnvIf Request_URI "^/default.ida?" dontlog
> SetEnvIf Request_Method "SEARCH" dontlog

Nathan Torkington's vermicide helps - (needs mod_perl)

	srs


# this goes into your httpd.conf file
#
# the push_handlers line below prevents logging of worm requests
# remove that line if you want to know who's been contacting you

<Perl>
{
  package Apache::Vermicide;
  use Apache::Constants qw(:common :response);
  sub handler {
    my $r = shift;

    if ($r->uri() =~ /root\.exe|cmd\.exe|default\.ida/i) {
        $r->push_handlers(PerlLogHandler => sub { return BAD_REQUEST });
        return BAD_REQUEST;
    }
    return DECLINED;
  }
}
</Perl>
PerlPostReadRequestHandler Apache::Vermicide

• References:
  • What HTTP exploit? John Palmer (NANOG Acct)
  • Re: What HTTP exploit? Richard Welty

• Prev by Date: Re: What HTTP exploit?
• Next by Date: Tracking the bad guys
• Date Index
• Thread Index
• Author Index
• Historical