Odd WordPress pingbacks

I’m getting some odd log messages for the apache module modsecurity.  Essentially its xml parser is breaking when random places are sending pingbacks. The requests go to xmlrpc.php and the response headers are ok, but the body is binary.  The message in the modsecurity log looks like:

Message: XML parser error: XML: Failed parsing document.

After a bit of guessing and sending messages to and fro, I can now see that it is a gziped response. So I’m not sure if it is modsecurity not realising that the response is gziped or wordpress not marking it correctly. In any case I can regularly get very similar binary strings using gzip and the usual xml response. So that’s half the mystery solved.

Most of the requests are spammers so I’m not too worried.  I think it also impacts legitimate pingbacks because I’ve not had any, even from the usual automatic places.

Apache and incomplete redirection messages

As part of moving my site around, I needed a bunch of redirects so that http://enc.com.au/docs/linuxload.html now becomes because its now controlled by [Wordpress][]. so I used the [RedirectPermanent][] feature of [mod_alias][2.2 mod_alias] to do it with lines like:

RedirectPermanent /docs/linuxload.html /2010/07/manually_calculating_process_times/

So you come in on /docs/linuxload.html and redirect to the blog entry, simple really! It actually works, kinda, but the log files fill with things like:

[Fri Mar 04 14:40:17 2011] [warn] [client 172.16.242.1] incomplete redirection target of '/2010/07/manually_calculating_process_times/' for URI '/docs/linuxload.html' modified to 'http://enc.com.au/2010/07/manually_calculating_process_times/

What is going on? Why won’t Apache just be quiet and be happy? The reason is in the Redirect Directive documentation on the [2.0 mod_alias][] page:

> Also, URL-path must be a fully qualified URL, not a relative path, even when used with .htaccess files or inside of sections.

But I’m running Apache 2.2 and the [2.2 mod_alias][] page says:
> The new URL should be an absolute URL beginning with a scheme and hostname, but a URL-path beginning with a slash may also be used, in which case the scheme and hostname of the current server will be added.

That’s it, you two choices:

* Use relative urls and have Apache complain
* Use absolute urls and have a happy Apache

Changing the above config snippet to use absolute paths fixed it.

RedirectPermanent /docs/linuxload.html http://enc.com.au/2010/07/manually_calculating_process_times/

[2.2 mod_alias]: http://httpd.apache.org/docs/2.2/mod/mod_alias.html
[2.0 mod_alias]: http://httpd.apache.org/docs/2.0/mod/mod_alias.html
[RedirectPermanent]: http://httpd.apache.org/docs/2.2/mod/mod_alias.html#redirectpermanent
[Wordpress]: http://www.wordpress.org/

Anti-Nimda/Code Red Auto-Emailer

The Nimda and Code Red worms really annoy the hell out of me. It puts about 10-15% more load on my servers and is caused by some slack half-witted fool who calls themselves a system administrator who cannot be bothered to fix their joke of an operating system…

Now I got **that** off my chest, this script will send an email to [email protected]their_domain explaining that they should fix their computer. Note that you will quite often get a lot of bounce-backs
because idiots who run unpatched servers are that same sort of idiots that don’t have common mailbox names as spelt out in RFC 2142.
The script will also send one email per worm attack, so they can quite often get lots of emails, perhaps they will fix their server and stop being a nuisance of The Internet then.

To use this you will need apache (most likely running on something that is not Windows NT), the mod_rewrite module for apache and php.

First you need a file. I called it nimda.php and put in at /var/www/nimda.php but it can go anywhere. You will need to do some editing, you can change the message to whatever you like.

Then edit apache configuration file to the following:

RewriteEngine On
RewriteRule ^(.*/winnt/.*) /var/www/nimda.php?url=$1
RewriteRule ^(.*/scripts/.*) /var/www/nimda.php?url=$1
RewriteRule ^(.*/Admin.dll) /var/www/nimda.php?url=$1
Alias /default.ida /var/www/nimda.php?url=default.ida

If that damn worm comes visiting, it should work out the domain the worm is from and email the postmaster there. Note that you will get a fair few bounced emails but I have had some success with this approach with people taking notice. I’m still getting about 100 worm visits a day per computer though 🙁