The Nimda worm deposits many files, some of which are hidden in different
directories on the infected server. The worm plants itself in the root of
any available drive as the file admin.dll. Other filenames for the worm
include: ADMIN.DLL, LOAD.EXE, MMC.EXE, README.EXE, RICHED20.DLL,
On 19 Sep 2001, Vivek Khera wrote:
NT http://www.torkington.com/vermicide.txt has a mod_perl handler to
NT catch the requests as soon as they arrive, and discard them with a
NT minimum of work to Apache. If your web server is struggling under the
NT load, this might help.
Why waste your
Tim Peoples writes:
I tried doing the s/OK/DECLINED/ thing and it didn't do the trick. :-(
I forgot to mention that this is in combination with HTML::Mason,
but I doubt that should have any effect.
This appears to be a bug in mod_perl, partially (said, I think, Geoff
Young) fixed in the
I was able to change all the PerlSetEnv directives to SetEnv and all
seems to be well. There was really no need to set the values so early
anyway (since they're only being referenced during content generation).
Thanx,
Tim.
On Fri, Sep 21, 2001 at 02:13:29PM -0600, Nathan Torkington wrote:
This 'Apache::Vermicide' module, installed as a 'PerlPostReadRequestHandler',
seems to be preventing any 'PerlSetEnv' directives from being parsed out
of a '.htaccess' file (or equivalent). IOW, the ENV vars aren't getting
set properly.
I'm investigating how to remedy this issue.
Tim.
On
Hmmm...
I tried doing the s/OK/DECLINED/ thing and it didn't do the trick. :-(
I forgot to mention that this is in combination with HTML::Mason,
but I doubt that should have any effect.
Tim.
On Tue, Sep 18, 2001 at 03:54:00PM -0600, Nathan Torkington wrote:
Tim Peoples writes:
This
Hi Nat -
Whoops! Returning OK terminates the PostReadRequest phase,
apparently. Changing that to return DECLINED made PerlSetEnv work
again. Sorry,
Nat
Before reading your post I had implemented a similar handler, although I
put it in as a TransHandler, so I guess I should move it to
Jeremy Howard writes:
Jeremy Any suggestions on how we should respond? Update
Jeremy Apache::CodeRed to recognise the new signature, and send an
Jeremy appropriate message to postmaster and webmaster with an
Jeremy updated URL to point to?
Rosh Hashana just ended here in Israel, and I
Whoops! Returning OK terminates the PostReadRequest phase,
apparently. Changing that to return DECLINED made PerlSetEnv work
again. Sorry,
Nat
Before reading your post I had implemented a similar handler, although I
put it in as a TransHandler, so I guess I should move it to
This helps alot. I've been looking for a concise map of the various
phases and what returns codes take me where. I'll probably post it on
my wall.
all phases up to and including content generation ought to behave exactly
the same...
- DECLINED moves to the next handler in the phase
-
-Original Message-
From: Lyle Brooks
To: Geoffrey Young
Cc: 'mod_perl list '
Sent: 9/19/01 5:57 PM
Subject: RE: [OT] New Micro$oft vulnerability?
This helps alot. I've been looking for a concise map of the various
phases and what returns codes take me where. I'll probably post
On Wed, 19 Sep 2001, Lyle Brooks wrote:
One motivation I have is for these virus attacks, I'd like to send out
a 403 - Forbidden right at the beginning (say, when someone asks for
default.ida) and then I'd like to have the option of not logging it to
keep it from growing my logs and
Sorry for the off-topic post; there was a lot of discussion here of
CodeRed and Reuven's module to report attempted attacks.
Since this a.m. I have had hundreds of requests like:
/scripts/root.exe?/c+dir
/MSADC/root.exe?/c+dir
/c/winnt/system32/cmd.exe?/c+dir
/d/winnt/system32/cmd.exe?/c+dir
-Original Message-
From: Nick Tonkin [mailto:[EMAIL PROTECTED]]
Sorry for the off-topic post; there was a lot of discussion here of
CodeRed and Reuven's module to report attempted attacks.
Since this a.m. I have had hundreds of requests like:
/scripts/root.exe?/c+dir
Nick Tonkin wrote:
Sorry for the off-topic post; there was a lot of discussion here of
CodeRed and Reuven's module to report attempted attacks.
Since this a.m. I have had hundreds of requests like:
/scripts/root.exe?/c+dir
/MSADC/root.exe?/c+dir
/c/winnt/system32/cmd.exe?/c+dir
Slashdot has a report on this now, looks like a similar worm to CodeRed,
but this one tries to hit numerous vulnerabilities, including backdoors
left open by CodeRed.
Brian Nilsen
[EMAIL PROTECTED]
On Tue, 18 Sep 2001, Nick Tonkin wrote:
Sorry for the off-topic post; there was
I wish someone would just write a worm that would put these IIS machines out
of their misery and stop causing the rest of us such a headache.
Nick Tonkin wrote:
Sorry for the off-topic post; there was a lot of discussion here of
CodeRed and Reuven's module to report attempted attacks.
You're tellin' me, I've now had word come down that we need to do a full
audit of our Apache and *nix installations to make sure that they're okay.
Nevermind the fact that the only problems we have so far is people opening
up files called readme.exe in their e-mail.
*slapsforeheadinfrustration*
http://www.torkington.com/vermicide.txt has a mod_perl handler to
catch the requests as soon as they arrive, and discard them with a
minimum of work to Apache. If your web server is struggling under the
load, this might help.
The heuristic it uses for requests to ignore with prejudice is the
[Apologies if you get this twice--mailed it first from my oreilly.com
account, which may not be the address subscribed to this list]
http://www.torkington.com/vermicide.txt has a mod_perl handler to
catch the requests as soon as they arrive, and discard them with a
minimum of work to Apache. If
Adi Fairbank wrote:
I wish someone would just write a worm that would put these
IIS machines out of their misery and stop causing the rest
of us such a headache.
I think that it would be a lot easier to write a worm that puts IIS admins
out of their misery--they're already busy applying
you know guys, seems to me micro$not users should be thinking of
product liability claim.. i mean, if you buy cigs and get cancer and
can
win a lawsuit or if you buy hot coffee and put it between your legs
and
can win, this should a real slam dunk.
At 12:09 PM 9/18/2001 -0700, Tom Servo wrote:
-- Jeremy Howard [EMAIL PROTECTED] on 09/19/01 06:37:15 +1000
This one's gonna grind the net to a halt pretty quick. I hate to think
what
this will mean for people running web servers at home over DSL (including
me
soon).
Any suggestions on how we should respond? Update
Tim Peoples writes:
This 'Apache::Vermicide' module, installed as a 'PerlPostReadRequestHandler',
seems to be preventing any 'PerlSetEnv' directives from being parsed out
of a '.htaccess' file (or equivalent). IOW, the ENV vars aren't getting
set properly.
I'm investigating how to remedy
Tim Peoples writes:
I tried doing the s/OK/DECLINED/ thing and it didn't do the trick. :-(
You're right, it was the restart that did it. OK/DECLINED makes no
difference in that handler.
I'm seeing, with or without my handler, the PerlSetEnv stuff only
happening once per connection rather
I'm seeing, with or without my handler, the PerlSetEnv stuff only
happening once per connection rather than once per request.
I think this was addressed for 1.26
http://marc.theaimsgroup.com/?t=9946915503w=2r=1
however, as you can see at the end of the thread, I don't think the
26 matches
Mail list logo
