Just a thought but why are we even bothering about doing a complete
response cycle for the probes ??? I mean nobody is actually going to
care what my server says is it ?? I was thinking more about closing
connection as soon as I figure out the URI. That way my server stays
more productive and my outgoing bandwidth is also saved to a extent.
I've been following this thread for a while and have adapted the
various posts to build what I think is the minimal module to
eliminate the logging and terminate the response from apache asap.
This is very similar to Apache::Vermicide (thank you!))
The handler is inserted at the first point where apache
location directives can be used.
#
# trap exploits of nimda code-red compromised systems.
# version 1.06 9-20-01 [EMAIL PROTECTED]
perl
{
package Apache::VirusLogZapper;
use Apache::Constants qw(:common :response);
my $ERRORLOG = 1;
sub handler {
my $r = shift;
if ($ERRORLOG) {
$r-uri =~ /(cmd\.exe|root\.exe|default\.ida)/;
$r-log_error(__PACKAGE__, ' ',
$r-get_remote_host, ' ' ,$1);
}
$r-push_handlers(PerlLogHandler = sub {return DONE});
return DONE;
}
}
/perl
LocationMatch (cmd.exe|root.exe|default.ida)
SetHandler perl-script
PerlHeaderParserHandler Apache::VirusLogZapper
/LocationMatch
#
I put all this in a small include file called 'virus.pl' and include
it in the httpd.conf file with a single line
Include /usr/local/apache/conf/virus.pl
Michael
[EMAIL PROTECTED]
