Re: Cracked cracker?

Mon, 16 Dec 2002 00:45:40 -0800 

d.w. harks wrote:

It's actually a sign that there's an IIS worm on that machine. It's not
a person, it's a virus, attempting to propagate to your machine. Since
you run Apache, you're safe from the virus, but not from the attempts.
*sigh*

The most common solution I've heard is to set up an ipchains firewall
rule that prevents that machine from hitting their Apache installations.
Another possibility, if you just want to stop logging the pests, is to put the following in the global section of your httpd.conf:


# Stop logging nimda requests, based on:
#http://lists.netfilter.org/pipermail/netfilter/2001-October/026587.html
#
SetEnvIfNoCase Request_URI /cmd.exe|/root.exe|/default.ida nimda
CustomLog /var/log/apache/access.log combined env=!nimda
# comment out next line to NOT log nimda requests
CustomLog /var/log/apache/nimda.log "%a %v %t %U" env=nimda
#
# suppress logging errors from serving 404s to the bastards:
<IfModule mod_alias.c>
RedirectMatch (.*)/root.exe http://not.nimda.friendly.invalid$1
RedirectMatch (.*)/cmd.exe http://not.nimda.friendly.invalid$1
RedirectMatch (.*)/default.ida http://not.nimda.friendly.invalid$1
</IfModule>


I have a line in there to log nimda requests to a seperate file, comment it out if you don't want it. If you're maintaining seperate logs for multiple VirtualHosts, repeat the CustomLog directive(s) for each one (adjust your paths):


<VirtualHost *>
ServerName www.DOMAIN.TLD
ServerAlias DOMAIN.TLD
ServerAdmin [EMAIL PROTECTED]
DocumentRoot /var/www/DOMAIN.TLD/htdocs
UserDir disabled
#keep nimda out of access.log
CustomLog /var/www/DOMAIN.TLD/log/access.log combined env=!nimda
CustomLog /var/www/DOMAIN.TLD/log/nimda.log "%a %v %t %U" env=nimda
ErrorLog /var/www/DOMAIN.TLD/log/error.log
</VirtualHost>


Being on roadrunner, I get a TON of nimda/code red requests from their 66.108.*.* addresses, & I don't like them screwing up my web logs

(sorry, I'm a couple of days late.. catching up slowly)



--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to