httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From C.Hays <me...@pconline.com>
Subject Re: Conditional Logging - Apache 2.0.28 - ignoring Nimda or Code Red
Date Sun, 03 Mar 2002 03:24:11 GMT
Well, i cant help with the logging however a small script using sed and will remove the entries
from the existing logs.
I have some entries i see all the time, that i just remove and cp over to new logs which are
then parsed..
works like a charm

good luck




On Sat, 2 Mar 2002 18:52:55 -0600
"Bryan Henry" <bryan.henry@mail.utexas.edu> wrote:

> I have been trying for two weeks to configure my Apache server
> not to log all the cmd.exe and root.exe requests from an
> Nimda or Code Red infected IIS machine.
> 
> I definitely have read every faq entry and description in the manual
> for setting SetEnvIf and CustomLog.  In addition, every suggestion I
> find on the web is not working for me either.
> 
> My goal is to not log any of these attacks, never seeing
> these entries would make me very happy.
> 
> thank you for the assistance,
> ~ b r y a n   h e n r y
> 
> Running - Apache/2.0.28 (Win32)
> ------------------------------------------------------------------
> 
> I have been only able to successfully log the following in attack.log
> 
> <-snipped ip and time-> "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404
> 805
> <-snipped ip and time-> "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404
> 805
> <-snipped ip and time-> "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 805
> 
> 
> The following is the relevant section of my .conf file.
> -------------------------------------------------------------------
> <-snipped .conf->
> #
> # ErrorLog: The location of the error log file.
> # If you do not specify an ErrorLog directive within a <VirtualHost>
> # container, error messages relating to that virtual host will be
> # logged here.  If you *do* define an error logfile for a <VirtualHost>
> # container, that host's errors will be logged there and not here.
> #
> ErrorLog logs/error.log
> 
> #
> # LogLevel: Control the number of messages logged to the error.log.
> # Possible values include: debug, info, notice, warn, error, crit,
> # alert, emerg.
> #
> LogLevel warn
> 
> #
> # The following directives define some format nicknames for use with
> # a CustomLog directive (see below).
> #
> LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""
> combined
> LogFormat "%h %l %u %t \"%r\" %>s %b" common
> LogFormat "%{Referer}i -> %U" referer
> LogFormat "%{User-agent}i" agent
> 
> # <<<< NOTE >>>  I have used all kinds of combinations of the following
> entries
> SetEnvIf Request_URI "^/scripts/root\.exe" dontlog
> SetEnvIf Request_URI "^/scripts/root\.exe^" dontlog
> SetEnvIf Request_URI "^MSADC/root\.exe^" dontlog
> SetEnvIf Request_URI "^MSADC/root\.exe" dontlog
> SetEnvIf Request_URI "^/[cd]/winnt/system32/cmd\.exe^" dontlog
> SetEnvIf Request_URI "^/[cd]/winnt/system32/cmd\.exe" dontlog
> SetEnvIf Request_URI "^/scripts/*/winnt/system32/cmd\.exe^" dontlog
> SetEnvIf Request_URI "^/scripts/*/winnt/system32/cmd\.exe" dontlog
> SetEnvIf Request_URI "^/_vti_bin/*/winnt/system32/cmd\.exe^" dontlog
> SetEnvIf Request_URI "^/_vti_bin/*/winnt/system32/cmd\.exe" dontlog
> SetEnvIf Request_URI "^/_mem_bin/*/winnt/system32/cmd\.exe^" dontlog
> SetEnvIf Request_URI "^/_mem_bin/*/winnt/system32/cmd\.exe" dontlog
> SetEnvIf Request_URI "^/winnt/system32/cmd\.exe^" dontlog
> SetEnvIf Request_URI "^/winnt/system32/cmd\.exe" dontlog
> SetEnvIf Request_URI "^/*/winnt/system32/cmd\.exe^" dontlog
> SetEnvIf Request_URI "^/*/winnt/system32/cmd\.exe" dontlog
> SetEnvIf Request_URI "^/default\.ida^" dontlog
> SetEnvIf Request_URI "^/default\.ida" dontlog
> 
> #
> # The location and format of the access logfile (Common Logfile Format).
> # If you do not define any access logfiles within a <VirtualHost>
> # container, they will be logged here.  Contrariwise, if you *do*
> # define per-<VirtualHost> access logfiles, transactions will be
> # logged therein and *not* in this file.
> #
> # <<<< NOTE >>>
> # I have disabled the following line because I use the line below it instead
> # Is this not correct?
> #CustomLog logs/access.log common
> 
> CustomLog logs/access.log common env=!dontlog
> CustomLog logs/attacks.log common env=dontlog
> 
> #
> # If you would like to have agent and referer logfiles, uncomment the
> # following directives.
> #
> CustomLog logs/referer.log referer
> CustomLog logs/agent.log agent
> 
> #
> # If you prefer a single logfile with access, agent, and referer information
> # (Combined Logfile Format) you can use the following directive.
> #
> #CustomLog logs/access.log combined
> 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 


-- 
Key fingerprint = C868 0131 8B45 6267 0B5F  3FE6 F39A E607 5B1D 0F82



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message