Re: Slapper worm does more than infect
On Wed, 2002-10-09 at 12:27, Xavier Santolaria wrote:
> > I've been using a script to watch for slapper attempts and restart the
> > webserver if it sees it (code below), but this is inefficient, costs
> > CPU, and unless I run this every minute I will get some downtime. Is
> > there a more efficient way of getting slapper to not grab my webserver
> > connections? I've considered recompiling apache to get rid of the
> > "Server:" HTTP response header line completely, but deploying a
> > recompiled binary (and recompiling every time) across a web-farm is a
> > drastic solution. I was hoping for something less disruptive.
>
> What you can do is add that option to your httpd.conf
> ServerTokens ProductOnly
>
> This way it will only display
> Server: Apache
Thank you for the suggestion. From what I understand of slapper, it
will first attempts to get the Apache version number by generating the
error message, but if the version number is not known it attempts
anyways (I suspect in some brute-force method). I thought that if could
get rid of the word "Apache" from the servertoken (heard about it in the
Hotmail-using-Apache-not-IIS fiasco), slapper thinks it's not an apache
server, and doesn't try. I'd have to recompile to get rid of that last
"Apache" string from the servertoken, as I understand, and it may be
moot if slapper or an equivalent worm just tries anyways on non-Apache
servers.
I'll give the ServerToken thing a shot anyways, and see if I get
"without hostname" errors (slapper probing) but no "key arg too long"
errors following it (slapper attempting infection).
Reply to: