> From: Ron Phipps > Sent: Tuesday, December 20, 2005 2:07 PM > <snip> > Are you using a script to restart your site or do you restart it by > hand? If you restart it by hand could you please setup a cgi test > domain and hit that site before you restart IC/Apache? > > Something in these worms is causing mod_interchange or IC to hang, but > I'm not sure I know where to look from here. It'd be great if there was > a script that recreated the actions of these worms, but I have not found > one yet. If we could recreate the problem on demand then it'd be much > easier to find a fix. Unfortunately right now we have to make a change > then wait for the worm to attack again. > > Does anyone know of any communities where they would post such a script? > > I think what I'm going to do next is add those xmlrpc paths to either > the ordinaryfilelist or the dropfilelist of mod_interchange so that the > posts are not passed along to IC. > The DropRequestList looks like this now in the interchange-handler section: DropRequestList /default.ida /x.ida /cmd.exe /root.exe /xmlrpc.php Since I implemented this, the site has been hit by the worm 6 times, but my script has not detected the site going down. I still think there is a problem somewhere, either in apache, mod_interchange or interchange, however I'm not sure how to go about finding the issue without an easy to reproduce case. Once someone can come up with a reproducible case I will look into a fix closer. Thanks, -Ron _______________________________________________ interchange-users mailing list suppressed http://www.icdevgroup.org/mailman/listinfo/interchange-users
Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.