httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John <>
Subject Re: [users@httpd] Sanity A worm and apache
Date Tue, 25 Jan 2005 17:38:12 GMT
I believe these bugs does not affect windows right?

>I run a few instances of phpBB under Apache 1.x, running as the default
>Apache install under OS X client 10.3.7
>Several of my forums are getting hit with this type of thing:
> - - [24/Jan/2005:20:22:53 -0800] "GET
>(34))%252E%2527 HTTP/1.0" 302 716 "-" "Mozilla/4.0"
>Someone on the phpBB forums came up with this for a .htaccess file:
>RewriteEngine On 
># prevent access from sanity webworm a-e
>RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527 [OR]
>RewriteCond %{QUERY_STRING} ^(.*)rush=\%65\%63\%68 [OR]
>RewriteCond %{QUERY_STRING} ^(.*)rush=echo [OR]
>RewriteCond %{QUERY_STRING} ^(.*)wget\%20
>RewriteRule ^.*$ [R,L]
># prevent pre php 4.3.10 bug
>RewriteCond %{HTTP_COOKIE}% s:(.*):\%22test1\%22\%3b
>RewriteRule ^.*$ [R,L]
># prevent perl user agent (most often used by santy)
>RewriteCond %{HTTP_USER_AGENT} ^lwp.* [NC]
>RewriteRule ^.*$ [R,L]
>This is working, I no longer see 1000+ guest users on the forums, but I can
>not wonder if there is a better way. I think SetEnvIfNoCase is the better
>way, and I think I want it in the httpd.conf file so I need not worry about
>applying this new rule to all the sites, it can act on a global basis.
>The problem I have with the above is it still logs all those requests to my
>access_log, which is making a mess of things and the logs are growing much
>too fast, not to mention it is blowing out my stats on the logs as well and
>artificially inflating requests to one file.
>Is it possible to convert the above to SetEnvIfNoCase, and send those
>matches to a new log file so they do not muddy the main combined log I have
>in place.  Is it then possible to deny based on that new rule and send those
>deny logs to some other file as well?
>I am starting to think this can be done somewhat like this:
><directory />
>    order allow,deny
>    allow from all
>    deny from env=sanityworm
>Then, I need my regex matching:
>SetEnvIfNoCase ??????? "regex here" sanityworm
>What I can not find out, what are all the options of the second part of
>SetEnvIfNoCase, is QUERY_STRING part of those option, as well as the others
>listed above?  I just don't know how to convert the rewrite rules above to
>fit into this new scenario, assuming it is the correct way to accomplish
>Then there is the logging side of this, which I have no idea how to make
>happen.  Thanks for any and all help in this.

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message