[X-Unix] Stopping the WebDAV Exploit in Apache
Dean Suhr
deansuhr at carpedis.com
Sun Mar 28 08:24:57 PST 2004
>on 3/27/04 18:42, Scott Haneda at scott at newgeo.com wrote:
> I am serving up my mrtg stats on port 80 just so I can see
> what is going on no matter where I am.
...
>
> The first thing I did what start tracking the worms and other issues
> # create special cases to get code red and others out of my logs!
> SetEnvIfNoCase Request_URI "/cmd\.exe" msjunk
...
>
> I send these logs to a serrate log...
> CustomLog "/private/var/log/httpd/msjunk_log" virtual env=msjunk
> CustomLog "/private/var/log/httpd/msjunk_IP_log" justIP env=msjunk
>
> One is the full request, the last one is just the IP
>
> Every 5 minutes cron picks up the IP log and adds it to a blackhole list so
> they can not talk to me again.
Scott,
This is very interesting but I admit way over my head. I am struggling with
getting WebDAV to work properly just for joint GoLive development work.
Using WebDAV for some more "interesting" things like this has some appeal to
me. Can you walk me (and the rest of us) through a bit more of what exactly
is going on here so that we can better understand?
I've read some about the WebDAV exploit so I have some concerns. Is this
just a IIS concern? Would it help to have HTTP and WebDAV on separate ports?
Is there a way to do that while running only one Apache instanciation on one
server? If not, how would we run two instanciations?
Dean
More information about the X-Unix
mailing list