httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Fred Koschara <>
Subject Re: I'm being scanned... What do I do?
Date Mon, 31 Dec 2001 06:47:16 GMT

> > > > From: "Allen May" <>
> > > > To: "Apache" <>
> > > > Sent: Sunday, December 30, 2001 6:49 AM
> > > > Subject: I'm being scanned... What do I do?
> > > > > Is there anything I can do to trace back to the owner of that
>computer and let them know that A) they have a virus or B) ask them to stop
>filing up my log.

I've been working on this, effectively continuously, since Daniel Lopez 
<> sent the link to the Apache::MSIISProbes module at on Sun, 
30 Dec 2001 10:15:41 -0800.

Why did it take so long?  I didn't have mod_perl installed on my server, 
and had to find a bunch of other modules required both by mod_perl itself, 
and by Apache::MSIISProbes.  In addition, the mod_perl test scripts have 
been broken by the latest version of libwww-perl, and I had to figure out 
how to make the tests work.  (Thanks to Gisle Aas of for 
answering about the problems I was having getting URI::URL recognized in 
the and hooks.t modules.)  I use a custom configuration script to 
build Apache, and had to figure out how to integrate mod_perl into it, and 
into the httpd.conf module list, neither of which are documented anywhere I 
can find - I adapted some of the work I did in setting up PHP.  I would 
write a checklist procedure for doing the whole process, but it's left me 
exhausted by now, and tomorrow there will be other dragons that need 
slaying, so I suspect I'll never get back to writing the documentation.

During the afternoon, I also looked at Earl Bird v2.6, another reporting 
option found at which I did not 
finish installing.  In retrospect, considering the amount of effort needed 
to get mod_perl working, I think Early Bird would have been a better 
choice.  Its problem, in my opinion, is that it requires that "ExecCGI" is 
enabled for your document root - which is not necessarily the best security 
position.  It is, however, a fairly self-contained package, and would have 
been relatively easy to install if I hadn't already been waist-deep into 
the mod_perl setup.  I also think Early Bird's reporting facilities are 
better, if the documentation is correct.

Apache/*nix is safe from infection by the IIS worms, it's true, but the 
worms do plug up the network with their traffic, as well as filling our 
logs.  It's in our best interest to let the infected system's 
administrators know they've got a problem, so using one of these tools is 
highly recommended, IMHO.

-- Fred Koschara, President
    L5 Development Group

For private sector (commercial) space development, visit
L5 Software Development - "out of this world" sites and software - Your place on the Internet for local music
	Music, feedback, connections. Tap the power of the Internet!
How much did your last traffic ticket cost you?
ThmIndxr(tm), the *only* HTML thumbnail/indexer you need!
wCapLock(tm), makes CapsLock work like it does on a typewriter
KeywordGo(tm), provides keyword access to your popular pages
BannerAds(tm), join multiple affiliate programs with one banner
My personal Web page is
	Stop by some time!

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message