[xmlrpc worm] Does it scan the servers before it probes the xmlrpc files?

[xmlrpc worm] Does it scan the servers before it probes the xmlrpc files?

am 21.01.2006 01:48:37 von hans

Hi all,

Tonight I was talking to a friend on IM about the xmlrpc worm that seems to hit
a lot of webservers. I assumed everyone was having those scans until tonight.

At my webserver I disabled sending php headers by setting expose_php to Off in
the php.ini. We talked about it and it seems that killing the headers in the
httpd.conf by setting the serversignature to off does not kill the
X-Powered-By: PHP/version header.

Since I set the expose_php setting in the php.ini to Off I do not have any
xmlrpc probes anymore.

Could someone confirm or deny this?

Regards,

Hans Wolters




--

iemand heeft een gat gevonden in pdp's access.db? bel cnn

http://blacklist.kernelnewbies.nl

Re: [xmlrpc worm] Does it scan the servers before it probes the xmlrpc files?

am 22.01.2006 11:15:00 von Chris Kronberg

On 2006-01-21, Hans wrote:
> Hi all,
>
> Tonight I was talking to a friend on IM about the xmlrpc worm that seems to hit
> a lot of webservers. I assumed everyone was having those scans until tonight.
>
> At my webserver I disabled sending php headers by setting expose_php to Off in
> the php.ini. We talked about it and it seems that killing the headers in the
> httpd.conf by setting the serversignature to off does not kill the
> X-Powered-By: PHP/version header.
>
> Since I set the expose_php setting in the php.ini to Off I do not have any
> xmlrpc probes anymore.
>
> Could someone confirm or deny this?

I don't have any php on some of my webservers yet the probes
come by regulary. There is no difference between those having
and showing a php header and those having not.
Maybe there was just a little break?

Cheers,

Chris.

Re: [xmlrpc worm] Does it scan the servers before it probes the xmlrpc files?

am 22.01.2006 13:28:36 von hans

On 22 Jan 2006 10:15:00 GMT, Chris Kronberg wrote:
> On 2006-01-21, Hans wrote:

>> At my webserver I disabled sending php headers by setting expose_php to Off in
>> the php.ini. We talked about it and it seems that killing the headers in the
>> httpd.conf by setting the serversignature to off does not kill the
>> X-Powered-By: PHP/version header.
>>
>> Since I set the expose_php setting in the php.ini to Off I do not have any
>> xmlrpc probes anymore.
>>
>> Could someone confirm or deny this?
>
> I don't have any php on some of my webservers yet the probes
> come by regulary. There is no difference between those having
> and showing a php header and those having not.
> Maybe there was just a little break?

Maybe... I'll wait and see.

Hans

--

iemand heeft een gat gevonden in pdp's access.db? bel cnn

http://blacklist.kernelnewbies.nl