Date: Wed, 19 Sep 2001 06:58:21 -0700 From: "DrTebi" <drtebi@yahoo.com> To: <freebsd-questions@freebsd.org>, <leblanc+freebsd@acadia.ne.mediaone.net> Subject: Re: NEW VIRUS - Read this!(No the virus isn't included!) - CustomLog problem solved! Message-ID: <003701c14113$24f36700$c8e1b3d8@liquidground.com> References: <fa.nj41kiv.hmm1ru@ifi.uio.no> <fa.jv8un7v.rmchj7@ifi.uio.no>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, damn, I am sorry, when I copied it over it seems like I DID forget the 'common' keyword. What this does: Everytime a request for one of those MS things comes in, apache sets up a variable "other" and names it "ms-bs". Next I am defining a custom log, and by putting "env=!ms-bs", I am telling apache to NOT log the request if the "other" enviroment variable has been set to "ms-bs". It is not necessary to additionally set up another log that WILL log the ms-bs stuff. This can just be left off, and simply nothing will be logged when the ms-bs variable is set. It will still show up in the error_log though. If you want to take this a step further, you might try to puzzle something together with an alias match to point it to a dummy-page, e.g. AliasMatch /scripts/.* "/path/to/htdocs/dummypage.html" You just have to be sure that there is nothing on your webserver that actually uses a directory called "scripts". However, I did this for my server, and it works fine, both my error_log and access_log are almost clean of MS-BS now. There are still requests for other locations like "/c/winnt/system....", "/d/winnt/..." and some "_mem_bin" etc., so you might want to filter that out too. Maybe we should try to make this work a little better altogether... filter out what the virus is exactly requesting for etc. I am in. DrTebi ----- Original Message ----- From: "Louis LeBlanc" <leblanc+freebsd@acadia.ne.mediaone.net> Newsgroups: fa.freebsd.questions To: <freebsd-questions@freebsd.org> Sent: Wednesday, September 19, 2001 2:24 AM Subject: Re: NEW VIRUS - Read this!(No the virus isn't included!) - CustomLog problem solved! > On 09/18/01 04:56 PM, DrTebi sat at the `puter and typed: > > A little help to keep your apache logs clean (it's not perfect, but does at > > least save you some of those stupid hacking attempts). Put this into your > > httpd.conf file: > > > > # mircosoft viruses > > SetEnvIf Request_URI \.exe$ other=ms-bs > > SetEnvIf Request_URI \.dll$ other=ms-bs > > > > CustomLog /path/to/your/access_log env=!other > > > > > > Any improvements are greatly appreciated. > > DrTebi > > Ok, I had a little strange trouble at first, but this seems to have > fixed it: > > SetEnvIf Request_URI \.exe$ ms_bs > SetEnvIf Request_URI \.dll$ ms_bs > SetEnvIf Request_URI \share$ ms_bs > > CustomLog /var/log/httpsd/access_log common env=!ms_bs > CustomLog /var/log/httpsd/ms-bs_log common env=ms_bs > > The result is that these MS bs requests are not logged to access_log, > but are logged to ms-bs_log. I think the missing 'common' token was > the problem. > > Also, I believe the worm is requesting 'share' in some cases, so I > added that. I believe I'll also add a line to keep these bs requests > out of error_log. > > Thanks for the suggestion! > > -- > Louis LeBlanc leblanc@acadia.ne.mediaone.net > Fully Funded Hobbyist, KeySlapper Extrordinaire :) > http://acadia.ne.mediaone.net ԿԬ > > Arnold's Laws of Documentation: > (1) If it should exist, it doesn't. > (2) If it does exist, it's out of date. > (3) Only documentation for useless programs transcends the first two laws. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?003701c14113$24f36700$c8e1b3d8>