| View previous topic :: View next topic |
| Author |
Message |
war_pig
n00b
Joined: 27 May 2002
Posts: 17
|
 Posted: Mon May 27, 2002 10:58 pm Post subject: apache, code red, annoying logs |
 |
|
i just installed gentoo, and its running great
ty gentoo dev people
and i just fired up apache and already my logs are filling up with cmd.exe crap
i know im not the only one who i extremely annoyed by this, and it makes it hard to make sense of yer logs, for a n00b anyway
can someone show me a script or an iptables rule that will keep code red out of my logs
even some sort of perl script i could use to parse the logs and remove that crap
or awk or something, im just not skilled enuf to write my own
_________________
no signature available here |
|
| Back to top |
|
 |
DarrenM
l33t
Joined: 25 Apr 2002
Posts: 653
Location: Sydney, Australia
|
| Posted: Tue May 28, 2002 2:33 am Post subject: |
|
|
You can't block it like that afaik. I had a similar problem and found that 99% of the hits were coming from just a couple ip addresses so I just blocked those in iptables.
If you want to read your logs without all the code red messages just use grep to filter it. |
|
| Back to top |
|
|
klieber
Bodhisattva
Joined: 17 Apr 2002
Posts: 3657
Location: San Francisco, CA
|
| Posted: Tue May 28, 2002 12:04 pm Post subject: |
|
|
You need to use mod_rewrite in order to block stuff like code red. Not sure if that's compiled as part of the Gentoo version of Apache, however.
Search around on the net -- there are a few examples of how to use mod_rewrite to block out code red crap.
--kurt
_________________
The problem with political jokes is that they get elected |
|
| Back to top |
|
|
war_pig
n00b
Joined: 27 May 2002
Posts: 17
|
| Posted: Tue May 28, 2002 3:36 pm Post subject: |
|
|
thanks for the tip klieber
this is what i found, for anybody else whos been wondering how to do:
##############################################
##### Remove IIS worm From LOG ###############
#############################################
SetEnvIfNoCase Request_URI "^/scripts/" nolog
SetEnvIfNoCase Request_URI "^/msadc/" nolog
SetEnvIfNoCase Request_URI "^/MSADC/" nolog
SetEnvIfNoCase Request_URI "^/_vti_bin/" nolog
SetEnvIfNoCase Request_URI "^/_mem_bin/" nolog
SetEnvIfNoCase Request_URI "^/c/winnt/" nolog
SetEnvIfNoCase Request_URI "^/d/winnt/" nolog
SetEnvIfNoCase Request_URI "^/default.ida" nolog
Redirect gone /scripts/
Redirect gone /msadc/
Redirect gone /MSADC/
Redirect gone /_vti_bin/
Redirect gone /_mem_bin/
Redirect gone /c/winnt/
Redirect gone /d/winnt/
Redirect gone /default.ida
CustomLog logs/access_log combined env=!nolog
i personnally dont get it, but default install has the mods loaded and apache restarted with no errors, so we'll see if this works
_________________
no signature available here |
|
| Back to top |
|
|
rl75
n00b
Joined: 29 May 2002
Posts: 1
Location: ashburn, va
|
| Posted: Wed May 29, 2002 11:12 pm Post subject: |
|
|
This may look strange...but it works assuming HostnameLookups is off in httpd.conf. Basically it takes the offending IP from the errror_log and null routes it. You could probably do more with it...like send it to an iptables rule too. Check it out:
tail -f error_log | grep -i cmd.exe | awk '{print $8}' | awk -F] '{print $1}' | xargs -i route add {} 127.0.0.1 &
_________________
When you don't know what you are doing, do it neatly. |
|
| Back to top |
|
|
war_pig
n00b
Joined: 27 May 2002
Posts: 17
|
| Posted: Thu May 30, 2002 12:59 pm Post subject: |
|
|
thanks for all the respones
the apache modifications did the trick, once i realized the log haad allready been set at the top of the .conf
now, nice clean logs, for the first time since last summer 
_________________
no signature available here |
|
| Back to top |
|
|
|
Networking & Security
