From owner-freebsd-questions Wed Sep 19 9: 1: 6 2001 Delivered-To: freebsd-questions@freebsd.org Received: from mail-relay1.mirrorimage.net (mail-relay1.mirrorimage.net [209.58.140.11]) by hub.freebsd.org (Postfix) with ESMTP id 48B7837B415 for ; Wed, 19 Sep 2001 09:00:58 -0700 (PDT) Received: from leblanc.mirrorimage.net (leblanc.mirrorimage.net [209.192.210.146]) by mail-relay1.mirrorimage.net (8.9.3/8.9.3) with ESMTP id MAA11795 for ; Wed, 19 Sep 2001 12:00:57 -0400 Received: (from leblanc@localhost) by leblanc.mirrorimage.net (8.11.5/8.11.4) id f8JG16m21482 for freebsd-questions@freebsd.org; Wed, 19 Sep 2001 12:01:06 -0400 (EDT) (envelope-from leblanc) Date: Wed, 19 Sep 2001 12:01:06 -0400 From: Louis LeBlanc To: freebsd-questions@freebsd.org Subject: Re: NEW VIRUS - Read this!(No the virus isn't included!) - CustomLog problem solved! Message-ID: <20010919120105.B21354@acadia.ne.mediaone.net> Reply-To: freebsd-questions@freebsd.org Mail-Followup-To: freebsd-questions@freebsd.org References: <003701c14113$24f36700$c8e1b3d8@liquidground.com> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <003701c14113$24f36700$c8e1b3d8@liquidground.com> User-Agent: Mutt/1.3.22.1i X-bright-idea: Lets abolish HTML mail! Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Yes, I see where you are going with the alias to dummypage.htm. I was wondering though, if there is a way to set up a handler like the Apache::CodeRed module. This takes a request for default.ida and resolves the client IP, sends a warning to securityfocus and several 'admin' addresses at the server if possible, and will cache the IP so that subsequent requests from the same IP are ignored for the next 24 hours. BTW, I added a SetEnvIf line for default.ida so that even the stragglers from that infestation are being kept out of my logs. I did notice that you can't keep it out of error_log without some tricks like the AliasMatch directive you provided (Thanks, I think I'll use that). One of these days, I'm gonna learn Perl. Thanks Lou On 09/19/01 06:58 AM, DrTebi sat at the `puter and typed: > Hi, > damn, I am sorry, when I copied it over it seems like I DID forget the > 'common' keyword. > What this does: Everytime a request for one of those MS things comes in, > apache sets up a variable "other" and names it "ms-bs". Next I am defining a > custom log, and by putting "env=!ms-bs", I am telling apache to NOT log the > request if the "other" enviroment variable has been set to "ms-bs". > It is not necessary to additionally set up another log that WILL log the > ms-bs stuff. This can just be left off, and simply nothing will be logged > when the ms-bs variable is set. > > It will still show up in the error_log though. If you want to take this a > step further, you might try to puzzle something together with an alias match > to point it to a dummy-page, e.g. > AliasMatch /scripts/.* "/path/to/htdocs/dummypage.html" > > You just have to be sure that there is nothing on your webserver that > actually uses a directory called "scripts". However, I did this for my > server, and it works fine, both my error_log and access_log are almost clean > of MS-BS now. There are still requests for other locations like > "/c/winnt/system....", "/d/winnt/..." and some "_mem_bin" etc., so you might > want to filter that out too. > > Maybe we should try to make this work a little better altogether... filter > out what the virus is exactly requesting for etc. I am in. > > DrTebi > > ----- Original Message ----- > From: "Louis LeBlanc" > Newsgroups: fa.freebsd.questions > To: > Sent: Wednesday, September 19, 2001 2:24 AM > Subject: Re: NEW VIRUS - Read this!(No the virus isn't included!) - > CustomLog problem solved! > > > > On 09/18/01 04:56 PM, DrTebi sat at the `puter and typed: > > > A little help to keep your apache logs clean (it's not perfect, but does > at > > > least save you some of those stupid hacking attempts). Put this into > your > > > httpd.conf file: > > > > > > # mircosoft viruses > > > SetEnvIf Request_URI \.exe$ other=ms-bs > > > SetEnvIf Request_URI \.dll$ other=ms-bs > > > > > > CustomLog /path/to/your/access_log env=!other > > > > > > > > > Any improvements are greatly appreciated. > > > DrTebi > > > > Ok, I had a little strange trouble at first, but this seems to have > > fixed it: > > > > SetEnvIf Request_URI \.exe$ ms_bs > > SetEnvIf Request_URI \.dll$ ms_bs > > SetEnvIf Request_URI \share$ ms_bs > > > > CustomLog /var/log/httpsd/access_log common env=!ms_bs > > CustomLog /var/log/httpsd/ms-bs_log common env=ms_bs > > > > The result is that these MS bs requests are not logged to access_log, > > but are logged to ms-bs_log. I think the missing 'common' token was > > the problem. > > > > Also, I believe the worm is requesting 'share' in some cases, so I > > added that. I believe I'll also add a line to keep these bs requests > > out of error_log. > > > > Thanks for the suggestion! > > > > -- > > Louis LeBlanc leblanc@acadia.ne.mediaone.net > > Fully Funded Hobbyist, KeySlapper Extrordinaire :) > > http://acadia.ne.mediaone.net ԿԬ > > > > Arnold's Laws of Documentation: > > (1) If it should exist, it doesn't. > > (2) If it does exist, it's out of date. > > (3) Only documentation for useless programs transcends the first two > laws. > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-questions" in the body of the message > > > _________________________________________________________ > Do You Yahoo!? > Get your free @yahoo.com address at http://mail.yahoo.com > -- Louis LeBlanc leblanc@acadia.ne.mediaone.net Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://acadia.ne.mediaone.net ԿԬ Its name is Public Opinion. It is held in reverence. It settles everything. Some think it is the voice of God. -- Mark Twain To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message