The Apache web server comes with something called Apache Module mod_status installed
From the Apache site: http://httpd.apache.org/docs/2.0/mod/mod_status.html
The Status module allows a server administrator to find out how well their server is performing. A HTML page is presented that gives the current server statistics in an easily readable form. If required this page can be made to automatically refresh (given a compatible browser). Another page gives a simple machine-readable list of the current server state.
The details given are:
The number of worker serving requests
The number of idle worker
The status of each worker, the number of requests that worker has performed and the total number of bytes served by the worker (*)
A total number of accesses and byte count served (*)
The time the server was started/restarted and the time it has been running for
Averages giving the number of requests per second, the number of bytes served per second and the average number of bytes per request (*)
The current percentage CPU used by each worker and in total by Apache (*)
The current hosts and requests being processed (*)
If you go to a site that uses the Apache web server, you can get interesting info if you add server-status after the domain name
If you go to http://apache.org/server-status, you will get the following
Server Version: Apache/2.4.1 (Unix) OpenSSL/1.0.0g
Server Built: Mar 3 2012 19:35:24
Current Time: Friday, 23-Mar-2012 00:20:33 UTC
Restart Time: Tuesday, 20-Mar-2012 16:36:59 UTC
Parent Server Config. Generation: 4
Parent Server MPM Generation: 3
Server uptime: 2 days 7 hours 43 minutes 34 seconds
Total accesses: 41598844 – Total Traffic: 571.4 GB
CPU Usage: u1734.41 s1457.05 cu0 cs0 – 1.59% CPU load
207 requests/sec – 2.9 MB/second – 14.4 kB/request
24 requests currently being processed, 616 idle workers
This will be followed by a list of IP addresses and pages that were served.
This can potentially be dangerous, it doesn’t long to write a program that will crawl the web and checking if it gets anything back when hitting domains with server-status appended
What do you think, is this a problem or meh? I think it could be a problem, attackers now can now if you have an unpatched version of Apache running and they can take advantage of that.
And it seems that washingtonpost.com disabled it. As of this morning you see this instead
You don’t have permission to access /server-status on this server.
Apache Server at failover.washingtonpost.com Port 80