This friendly taniwha decided to scan a small portion of the internet for "/server-status". A common misconfiguration on apache servers exposes a mod_status end-point to external access. This will often end in a breach of client privacy - client IP and a portion of a requested URL will be leaked to anyone viewing the mod_status end-point. Here are the scan results: just under 2 million hosts were scanned around 1% of scanned hosts had a valid server-status response and 82% of these had extended status information It seems a lot of people got caught out by reverse proxies combined with the whole "Allow from .acmecorp.com" thing. Anyway, here are a few gems: secure computing/mcafee (cap) amd (cap) pricewaterhousecoopers (cap) united nations (RP) (cap) metacafe nickelodeon opera open dns springer mcdonalds [2] [3] [4] realclimate roche telcel lots of open source projects a few foreign government sites some universities... and a metric boat-load of porn *** *** it's both fascinating and deeply disturbing to see GET-based search queries. equally fascinating is the amount of government and corporate ip addresses generating them. Here's some data: hitz.txt www_hitz.txt Let me know if you spot anything interesting. - hawkes@sota.gen.nz (@benhawkes) rss comments patsbin says: 11:48:13 Fri, 17 Sep 2010 You forgot to list the best one :) http://www.apache.org/server-status name email comment