[thelist] Re: Vermicide

[Kevin Martin]

Quoth "Richard Bennett" <richard.bennett at skynet.be>
> From: "Kevin Martin" <evolt at brasscannon.net>
>
>>A little Perl magic called "Vermicide" will fix that.  Put this into your
>>httpd.conf to discard log entries generated by Code Red and related/copycat
>>worms such as Nimda.  I still get a rare log entry from another worm,
>>but the threat to eat up all my log file space is over.
>
> That looked pretty neat, so we tried to add it to our httpd.conf file. It's
> not running though, and seems to be trying to open and run Perl.

Yep, that would be the case.  Rats, let me dig out the rest of the support
lines it requires.  (Any Perl gurus feel free to kibitz...!)  To avoid
confusion, these are three separate clips of the httpd.conf file, so
I'm going to mark them off with 'snip here' lines.  Find the section that
"looks like" each of these three and drop 'em in accordingly.  The block
of Vermicide code I gave earlier is repeated so you don't have to look
up the old post.

8<------------ snip here - add to LoadModule section

<IfDefine HAVE_PERL>
LoadModule perl_module        modules/libperl.so
</IfDefine>

8<------------ snip here - add to AddModule section

<IfDefine HAVE_PERL>
AddModule mod_perl.c
</IfDefine>

8<------------ snip here - add to SetHandler section

# If the perl module is installed, this will be enabled.
<IfModule mod_perl.c>
  Alias /perl/ /var/www/perl/
  <Location /perl>
    SetHandler perl-script
    PerlHandler Apache::Registry
    Options +ExecCGI
  </Location>
</IfModule>

<Perl>
{
  package Apache::Vermicide;
  use Apache::Constants qw(:common :response);
  sub handler {
    my $r = shift;

    if ($r->uri() =~ /root\.exe|cmd\.exe|default\.ida|owssvr\.dll/i) {
        $r->push_handlers(PerlLogHandler => sub { return BAD_REQUEST });
        return BAD_REQUEST;
    }
    return DECLINED;
  }
}
</Perl>

PerlPostReadRequestHandler Apache::Vermicide

#
8<------------ and here
--
Kevin Martin <evolt at brasscannon.net>