Home · Authors · Recent · News · Mirrors · FAQ · Feedback

in  
Nick Tonkin > Apache-MSIISProbes > Apache::MSIISProbes

Download:
Apache-MSIISProbes-1.08.tar.gz

Dependencies

Annotate this POD

CPAN RT

New  1
Open  0
View/Report Bugs
Module Version: 1.08   Source  

NAME ^

 Apache::MSIISProbes -
 Responds to worm attacks on Microsoft Internet Information Servers with e-mail warnings.

SYNOPSIS ^

 In your httpd.conf, put something similar to the following:

 <Location /default.ida>
   SetHandler perl-script
   PerlHandler Apache::MSIISProbes
   PerlSetVar worm_name CodeRed
   PerlSetVar worm_url http://www.microsoft.com/technet/itsolutions/security/topics/codealrt.asp
 </Location>

DESCRIPTION ^

 This Perl module should be invoked whenever the worms it
 knows about attack. We don't have to worry about such
 attacks on non-Windows boxes, but we can be good Internet
 citizens, warning the webmasters on infected machines of the
 problem and how to solve it.

 The module allows the user to add new configuration
 directives as new worms are discovered.

USAGE ^

 In your httpd.conf, put directives similar to the following:

 <Location /default.ida>
   SetHandler perl-script
   PerlHandler Apache::MSIISProbes
   PerlSetVar worm_name CodeRed
   PerlSetVar worm_url http://www.microsoft.com/technet/itsolutions/security/topics/codealrt.asp
 </Location>

 <LocationMatch (cmd.exe|root.exe)>
   SetHandler perl-script
   PerlHandler Apache::MSIISProbes
   PerlSetVar worm_name Nimda
   PerlSetVar worm_url http://www.microsoft.com/technet/security/topics/Nimda.asp
 </LocationMatch>

Duplicates

 $store = 1; # Send mail for every attempt
 $store = 0; # Only send mail once per cache period

 Although rumor has it that CodeRed and other similar worms
 only attack a given IP once from a given host, experience
 shows this to be false. You can control the behavior of
 MSIISProbes.pm when it encounters a second or subsequent
 attempt from a given IP address. By default MSIISProbes.pm
 keeps a cache of IP addresses from which an attempt has
 originated, counting attempts per worm from the IP and
 including the count in each message it mails.

 You can override this behavior and send a message only the
 first time a given host attempts to spread the worm in a given
 period by setting the variable $store to a false value. This
 will cause the cache to be cleared at a given interval (by
 default, one day). Mail alerts to the IIS server's
 administrators will be sent only once per cache period.

Volume

 $soa_only = 1; # only send mail to the Start of Authority
 $soa_only = 0; # send mail to address at the IP's MX also

 You can also control the "volume" of the module using the 
 $soa_only flag in the configuration. This variable controls
 the number of addresses to whom e-mail alerts are sent when
 an attempt to infect your server is made. Experience has shown
 that many administrators do not have their MX records set up
 correctly. This can lead to frequent bounced mail when the module
 is in its default configuration ($soa_only = 0).

 If you set $soa_only to a true value, the module will only attempt
 to resolve the Start of Authority for the attacking IP. This will 
 usually result in mail being sent to the SOA contact address plus 
 abuse@ the SOA's domain.

 If you set $soa_only to false, the module will additionally attempt
 to resolve the IP's MX host and send mail to postmaster@, webmaster@,
 and administrator@ that domain. This is a potential total of 5
 messages (plus Security Focus) per attempted infection.

Statistics

 You may wish to see the statistics for the various worms you
 are catching with MSIISProbes.pm. The module supports this
 through setting the value of the query string argument 'stats'
 to one of the worm names you defined in httpd.conf, for
 example like this:

 http://my.server.com/cmd.exe?stats=CodeRed
 or
 http://my.server.com/foo.bar?/c+dir&stats=Nimda

 Just make sure to attache the query string to a URL that will
 be caught by your configuration of the module! Also please note
 that the statistics provided are of your cache, so if you are
 clearing entries after one day the statistics will obviously
 not be cumulative!

AUTHOR ^

 Author: Nick Tonkin (nick@tonkinresolutions.com)

 Based on CodeRed.pm by Reuven M. Lerner (reuven@lerner.co.il),
 with ideas from Randal Schwartz, David Young, and Salve J. Nilsen.

COPYRIGHT ^

 This code is copyright 2001 Nick Tonkin. All rights reserved.

LICENSE ^

 You may distribute this module under the same license as Perl itself.

CHANGES ^

 v1.08
 Added the requested URI to the body of the e-mail message sent to
 server admins, since some apparently refuse to take action without
 it (requested by Tom Moore)

 v1.07
 Added $soa_only var to config, allowing more control over the volume.
 Corrected deprecated URL for this module's home page.

 v1.06
 Updated docs to reflect correct httpd.conf sections (Steve Neuharth)

 v1.05
 Fixed bug where mail could get sent to the local server admin if the
 remote IP address doesn't resolve to a host name (in certain environments)
 (reported by Bruce Albrecht)

 Fixed typo in page headline for statistical report (spotted by Alex Vandiver)

 v1.04
 Added code to provide statistics on the Cache (suggested by Paul DuBois)

 v1.03
 Added code to get e-mail for the SOA of the host (Brice D. Ruth)

 Cut the DNS Resolver's timeout to 20 seconds

 v1.02
 Moved the URL for info for each worm into PerlSetVar in httpd.conf

SEE ALSO ^

Apache.

syntax highlighting:
79179 Uploads, 24903 Distributions 106918 Modules, 9704 Uploaders
hosted by YellowBot
do. tag. write. share.