scanning for mod_status

taniwha_bw

This friendly taniwha decided to scan a small portion of the internet for “/server-status”. A common misconfiguration on apache servers exposes a mod_status end-point to external access. This will often end in a breach of client privacy – client IP and a portion of a requested URL will be leaked to anyone viewing the mod_status end-point. Here are the scan results:

  • just under 2 million hosts were scanned
  • around 1% of scanned hosts had a valid server-status response
  • and 82% of these had extended status information

It seems a lot of people got caught out by reverse proxies combined with the whole “Allow from .acmecorp.com” thing. Anyway, here are a few gems:

*** it’s both fascinating and deeply disturbing to see GET-based search queries. equally fascinating is the amount of government and corporate ip addresses generating them.

Here’s some data:

Let me know if you spot anything interesting.