[thelist] Re: Code Red?
Kevin Martin
evolt at brasscannon.net
Sun Jan 27 14:28:00 CST 2002
Quoth Jon Haworth <evolt at laughing-buddha.net>
> > Nothing to worry about if you don't have IIS public-facing.
>
> Aak, no way. Apache is set up to deny access to everything that isn't on my
> LAN anyway, but these fscking things are filling up my error logs <grin>
A little Perl magic called "Vermicide" will fix that. Put this into your
httpd.conf to discard log entries generated by Code Red and related/copycat
worms such as Nimda. I still get a rare log entry from another worm,
but the threat to eat up all my log file space is over.
8<---------- clip here
<Perl>
{
package Apache::Vermicide;
use Apache::Constants qw(:common :response);
sub handler {
my $r = shift;
if ($r->uri() =~ /root\.exe|cmd\.exe|default\.ida|owssvr\.dll/i) {
$r->push_handlers(PerlLogHandler => sub { return BAD_REQUEST });
return BAD_REQUEST;
}
return DECLINED;
}
}
</Perl>
PerlPostReadRequestHandler Apache::Vermicide
8<---------- clip here
--
Kevin Martin <evolt at brasscannon.net>
More information about the thelist
mailing list