[TCLUG] perl default.ida

[Callum Lerwick]

Bob Tanner wrote:
> Quoting Thomas Eibner (thomas at stderr.net):
> 
>>On Sun, Aug 12, 2001 at 12:18:43AM -0500, Bob Tanner wrote:
>>
>>>I did a test install of the default.ida perl script and I get the
>>>
>>> Premature end of script headers: 
>>>
>>Sounds like bad cgi-script to me.
>>
> 
> Sure. I'll put it up on Real Time's web site.
> 
> http://www.real-time.com/default.txt
> 


As I have said, this is not going to work. When the real worm hits, 
Apache sees the garbage in the HTTP request (which is the virus body) 
and responds with a Bad Request error. It will not run your 
CGI/Perl/PHP/*anything you put there* unless you hack it to bypass the 
Bad Request error somehow.

Perhaps set up a custom Bad Request page with this script? I know you 
can customise all error pages, but I dunno if you can put in a CGI...

Easiest thing to do is just write a daemon that monitors Apache's access 
log and responds however you'd like.