> Just a thought but why are we even bothering about doing a complete
> response cycle for the probes ??? I mean nobody is actually going to
> care what my server says is it ?? I was thinking more about closing
> connection as soon as I figure out the URI. That way my server stays
> more productive and my outgoing bandwidth is also saved to a extent.
I've been following this thread for a while and have adapted the
various posts to build what I think is the minimal module to
eliminate the logging and terminate the response from apache asap.
This is very similar to Apache::Vermicide (thank you!))
The handler is inserted at the first point where apache
<location> directives can be used.
#########################################
# trap exploits of nimda & code-red compromised systems.
# version 1.06 9-20-01 [EMAIL PROTECTED]
<perl>
{
package Apache::VirusLogZapper;
use Apache::Constants qw(:common :response);
my $ERRORLOG = 1;
sub handler {
my $r = shift;
if ($ERRORLOG) {
$r->uri =~ /(cmd\.exe|root\.exe|default\.ida)/;
$r->log_error(__PACKAGE__, ' ',
$r->get_remote_host, ' ' ,$1);
}
$r->push_handlers(PerlLogHandler => sub {return DONE});
return DONE;
}
}
</perl>
<LocationMatch (cmd.exe|root.exe|default.ida)>
SetHandler perl-script
PerlHeaderParserHandler Apache::VirusLogZapper
</LocationMatch>
#########################################
I put all this in a small include file called 'virus.pl' and include
it in the httpd.conf file with a single line
Include /usr/local/apache/conf/virus.pl
Michael
[EMAIL PROTECTED]
