Date: Wed, 19 Sep 2001 12:01:06 -0400 From: Louis LeBlanc <leblanc+freebsd@acadia.ne.mediaone.net> To: freebsd-questions@freebsd.org Subject: Re: NEW VIRUS - Read this!(No the virus isn't included!) - CustomLog problem solved! Message-ID: <20010919120105.B21354@acadia.ne.mediaone.net> In-Reply-To: <003701c14113$24f36700$c8e1b3d8@liquidground.com> References: <fa.nj41kiv.hmm1ru@ifi.uio.no> <fa.jv8un7v.rmchj7@ifi.uio.no> <003701c14113$24f36700$c8e1b3d8@liquidground.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Yes, I see where you are going with the alias to dummypage.htm. I was wondering though, if there is a way to set up a handler like the Apache::CodeRed module. This takes a request for default.ida and resolves the client IP, sends a warning to securityfocus and several 'admin' addresses at the server if possible, and will cache the IP so that subsequent requests from the same IP are ignored for the next 24 hours. BTW, I added a SetEnvIf line for default.ida so that even the stragglers from that infestation are being kept out of my logs. I did notice that you can't keep it out of error_log without some tricks like the AliasMatch directive you provided (Thanks, I think I'll use that). One of these days, I'm gonna learn Perl. Thanks Lou On 09/19/01 06:58 AM, DrTebi sat at the `puter and typed: > Hi, > damn, I am sorry, when I copied it over it seems like I DID forget the > 'common' keyword. > What this does: Everytime a request for one of those MS things comes in, > apache sets up a variable "other" and names it "ms-bs". Next I am defining a > custom log, and by putting "env=!ms-bs", I am telling apache to NOT log the > request if the "other" enviroment variable has been set to "ms-bs". > It is not necessary to additionally set up another log that WILL log the > ms-bs stuff. This can just be left off, and simply nothing will be logged > when the ms-bs variable is set. > > It will still show up in the error_log though. If you want to take this a > step further, you might try to puzzle something together with an alias match > to point it to a dummy-page, e.g. > AliasMatch /scripts/.* "/path/to/htdocs/dummypage.html" > > You just have to be sure that there is nothing on your webserver that > actually uses a directory called "scripts". However, I did this for my > server, and it works fine, both my error_log and access_log are almost clean > of MS-BS now. There are still requests for other locations like > "/c/winnt/system....", "/d/winnt/..." and some "_mem_bin" etc., so you might > want to filter that out too. > > Maybe we should try to make this work a little better altogether... filter > out what the virus is exactly requesting for etc. I am in. > > DrTebi > > ----- Original Message ----- > From: "Louis LeBlanc" <leblanc+freebsd@acadia.ne.mediaone.net> > Newsgroups: fa.freebsd.questions > To: <freebsd-questions@freebsd.org> > Sent: Wednesday, September 19, 2001 2:24 AM > Subject: Re: NEW VIRUS - Read this!(No the virus isn't included!) - > CustomLog problem solved! > > > > On 09/18/01 04:56 PM, DrTebi sat at the `puter and typed: > > > A little help to keep your apache logs clean (it's not perfect, but does > at > > > least save you some of those stupid hacking attempts). Put this into > your > > > httpd.conf file: > > > > > > # mircosoft viruses > > > SetEnvIf Request_URI \.exe$ other=ms-bs > > > SetEnvIf Request_URI \.dll$ other=ms-bs > > > > > > CustomLog /path/to/your/access_log env=!other > > > > > > > > > Any improvements are greatly appreciated. > > > DrTebi > > > > Ok, I had a little strange trouble at first, but this seems to have > > fixed it: > > > > SetEnvIf Request_URI \.exe$ ms_bs > > SetEnvIf Request_URI \.dll$ ms_bs > > SetEnvIf Request_URI \share$ ms_bs > > > > CustomLog /var/log/httpsd/access_log common env=!ms_bs > > CustomLog /var/log/httpsd/ms-bs_log common env=ms_bs > > > > The result is that these MS bs requests are not logged to access_log, > > but are logged to ms-bs_log. I think the missing 'common' token was > > the problem. > > > > Also, I believe the worm is requesting 'share' in some cases, so I > > added that. I believe I'll also add a line to keep these bs requests > > out of error_log. > > > > Thanks for the suggestion! > > > > -- > > Louis LeBlanc leblanc@acadia.ne.mediaone.net > > Fully Funded Hobbyist, KeySlapper Extrordinaire :) > > http://acadia.ne.mediaone.net ԿԬ > > > > Arnold's Laws of Documentation: > > (1) If it should exist, it doesn't. > > (2) If it does exist, it's out of date. > > (3) Only documentation for useless programs transcends the first two > laws. > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-questions" in the body of the message > > > _________________________________________________________ > Do You Yahoo!? > Get your free @yahoo.com address at http://mail.yahoo.com > -- Louis LeBlanc leblanc@acadia.ne.mediaone.net Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://acadia.ne.mediaone.net ԿԬ Its name is Public Opinion. It is held in reverence. It settles everything. Some think it is the voice of God. -- Mark Twain To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010919120105.B21354>