From owner-freebsd-questions Wed Sep 19 2:24:13 2001 Delivered-To: freebsd-questions@freebsd.org Received: from chmls20.mediaone.net (chmls20.mediaone.net [24.147.1.156]) by hub.freebsd.org (Postfix) with ESMTP id EFBD037B401 for ; Wed, 19 Sep 2001 02:24:09 -0700 (PDT) Received: from canada.acadia.ne.mediaone.net (acadia.ne.mediaone.net [65.96.185.189]) by chmls20.mediaone.net (8.11.1/8.11.1) with ESMTP id f8J9OXx17209 for ; Wed, 19 Sep 2001 05:24:33 -0400 (EDT) Received: (from leblanc@localhost) by canada.acadia.ne.mediaone.net (8.11.5/8.11.5) id f8J9KTH87497 for freebsd-questions@FreeBSD.ORG; Wed, 19 Sep 2001 05:20:29 -0400 (EDT) (envelope-from leblanc) Date: Wed, 19 Sep 2001 05:20:29 -0400 From: Louis LeBlanc To: freebsd-questions@FreeBSD.ORG Subject: Re: NEW VIRUS - Read this!(No the virus isn't included!) - CustomLog problem solved! Message-ID: <20010919052028.A87321@acadia.ne.mediaone.net> Reply-To: freebsd-questions@FreeBSD.ORG Mail-Followup-To: freebsd-questions@FreeBSD.ORG References: <00f001c1409d$841b2860$c8e1b3d8@liquidground.com> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <00f001c1409d$841b2860$c8e1b3d8@liquidground.com> User-Agent: Mutt/1.3.22.1i X-bright-idea: Lets abolish HTML mail! Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On 09/18/01 04:56 PM, DrTebi sat at the `puter and typed: > A little help to keep your apache logs clean (it's not perfect, but does at > least save you some of those stupid hacking attempts). Put this into your > httpd.conf file: > > # mircosoft viruses > SetEnvIf Request_URI \.exe$ other=ms-bs > SetEnvIf Request_URI \.dll$ other=ms-bs > > CustomLog /path/to/your/access_log env=!other > > > Any improvements are greatly appreciated. > DrTebi Ok, I had a little strange trouble at first, but this seems to have fixed it: SetEnvIf Request_URI \.exe$ ms_bs SetEnvIf Request_URI \.dll$ ms_bs SetEnvIf Request_URI \share$ ms_bs CustomLog /var/log/httpsd/access_log common env=!ms_bs CustomLog /var/log/httpsd/ms-bs_log common env=ms_bs The result is that these MS bs requests are not logged to access_log, but are logged to ms-bs_log. I think the missing 'common' token was the problem. Also, I believe the worm is requesting 'share' in some cases, so I added that. I believe I'll also add a line to keep these bs requests out of error_log. Thanks for the suggestion! -- Louis LeBlanc leblanc@acadia.ne.mediaone.net Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://acadia.ne.mediaone.net ԿԬ Arnold's Laws of Documentation: (1) If it should exist, it doesn't. (2) If it does exist, it's out of date. (3) Only documentation for useless programs transcends the first two laws. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message