This friendly taniwha decided to scan a small portion of the internet for "/server-status". A common misconfiguration on apache servers exposes a mod_status end-point to external access. This will often end in a breach of client privacy - client IP and a portion of a requested URL will be leaked to anyone viewing the mod_status end-point. Here are the scan results:
  • just under 2 million hosts were scanned
  • around 1% of scanned hosts had a valid server-status response
  • and 82% of these had extended status information
It seems a lot of people got caught out by reverse proxies combined with the whole "Allow from .acmecorp.com" thing. Anyway, here are a few gems:
*** it's both fascinating and deeply disturbing to see GET-based search queries. equally fascinating is the amount of government and corporate ip addresses generating them.

Here's some data:
Let me know if you spot anything interesting.

- hawkes@inertiawar.com (@benhawkes)