httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jack Nerad <jne...@cimedia.com>
Subject Re: Blocking those IIS virus hits (nimda)
Date Wed, 26 Jun 2002 18:16:20 GMT
On Wednesday 26 June 2002 13:50, you wrote:
> Can anything be done to block these?
>
> 64.163.235.74 - - [17/May/2002:00:21:31 -0700] "GET
> /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 311
>

Although a solution is found after a quick search on google, I 
reproduce it below for your convenience (cheers to Scotty Dexter for 
providing this solution to the linux-security list)

http://www.der-keiler.de/Mailing-Lists/linuxsecurity/2001-09/0051.html

<quote>
SetEnvIfNoCase Request_URI "^/scripts/" nolog
SetEnvIfNoCase Request_URI "^/msadc/" nolog
SetEnvIfNoCase Request_URI "^/_vti_bin/" nolog
SetEnvIfNoCase Request_URI "^/_mem_bin/" nolog
SetEnvIfNoCase Request_URI "^/c/winnt/" nolog
SetEnvIfNoCase Request_URI "^/d/winnt/" nolog
SetEnvIfNoCase Request_URI "^/default.iba" nolog
Redirect gone /scripts/
Redirect gone /msadc/
Redirect gone /_vti_bin/
Redirect gone /_mem_bin/
Redirect gone /c/winnt/
Redirect gone /d/winnt/
Redirect gone /default.ida

Now add "env=!nolog" to the end of your CustomLog directive, like this:

CustomLog /usr/local/apache/logs/access_log common env=!nolog
</quote>

You could as well add a log that only logged the addresses of those you 
caught with the above magic:

LogFormat %t %h nimda

CustomLog /usr/local/apache/logs/nimda_log nimda env=nimda

Creative people will find a way to add those in the nimda log to their 
firewall.  (Though doing so might not be the best idea).

--
Jack Nerad

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message