Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
apache, code red, annoying logs
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
war_pig
n00b
n00b


Joined: 27 May 2002
Posts: 17

PostPosted: Mon May 27, 2002 10:58 pm    Post subject: apache, code red, annoying logs Reply with quote

i just installed gentoo, and its running great
ty gentoo dev people

and i just fired up apache and already my logs are filling up with cmd.exe crap

i know im not the only one who i extremely annoyed by this, and it makes it hard to make sense of yer logs, for a n00b anyway

can someone show me a script or an iptables rule that will keep code red out of my logs

even some sort of perl script i could use to parse the logs and remove that crap

or awk or something, im just not skilled enuf to write my own
:lol:
_________________
no signature available here
Back to top
View user's profile Send private message
DarrenM
l33t
l33t


Joined: 25 Apr 2002
Posts: 653
Location: Sydney, Australia

PostPosted: Tue May 28, 2002 2:33 am    Post subject: Reply with quote

You can't block it like that afaik. I had a similar problem and found that 99% of the hits were coming from just a couple ip addresses so I just blocked those in iptables.

If you want to read your logs without all the code red messages just use grep to filter it.
Back to top
View user's profile Send private message
klieber
Bodhisattva
Bodhisattva


Joined: 17 Apr 2002
Posts: 3657
Location: San Francisco, CA

PostPosted: Tue May 28, 2002 12:04 pm    Post subject: Reply with quote

You need to use mod_rewrite in order to block stuff like code red. Not sure if that's compiled as part of the Gentoo version of Apache, however.

Search around on the net -- there are a few examples of how to use mod_rewrite to block out code red crap.

--kurt
_________________
The problem with political jokes is that they get elected
Back to top
View user's profile Send private message
war_pig
n00b
n00b


Joined: 27 May 2002
Posts: 17

PostPosted: Tue May 28, 2002 3:36 pm    Post subject: Reply with quote

thanks for the tip klieber

this is what i found, for anybody else whos been wondering how to do:

##############################################
##### Remove IIS worm From LOG ###############
#############################################
SetEnvIfNoCase Request_URI "^/scripts/" nolog
SetEnvIfNoCase Request_URI "^/msadc/" nolog
SetEnvIfNoCase Request_URI "^/MSADC/" nolog
SetEnvIfNoCase Request_URI "^/_vti_bin/" nolog
SetEnvIfNoCase Request_URI "^/_mem_bin/" nolog
SetEnvIfNoCase Request_URI "^/c/winnt/" nolog
SetEnvIfNoCase Request_URI "^/d/winnt/" nolog
SetEnvIfNoCase Request_URI "^/default.ida" nolog
Redirect gone /scripts/
Redirect gone /msadc/
Redirect gone /MSADC/
Redirect gone /_vti_bin/
Redirect gone /_mem_bin/
Redirect gone /c/winnt/
Redirect gone /d/winnt/
Redirect gone /default.ida
CustomLog logs/access_log combined env=!nolog

i personnally dont get it, but default install has the mods loaded and apache restarted with no errors, so we'll see if this works
_________________
no signature available here
Back to top
View user's profile Send private message
rl75
n00b
n00b


Joined: 29 May 2002
Posts: 1
Location: ashburn, va

PostPosted: Wed May 29, 2002 11:12 pm    Post subject: Reply with quote

This may look strange...but it works assuming HostnameLookups is off in httpd.conf. Basically it takes the offending IP from the errror_log and null routes it. You could probably do more with it...like send it to an iptables rule too. Check it out:

tail -f error_log | grep -i cmd.exe | awk '{print $8}' | awk -F] '{print $1}' | xargs -i route add {} 127.0.0.1 &
_________________
When you don't know what you are doing, do it neatly.
Back to top
View user's profile Send private message
war_pig
n00b
n00b


Joined: 27 May 2002
Posts: 17

PostPosted: Thu May 30, 2002 12:59 pm    Post subject: Reply with quote

thanks for all the respones

the apache modifications did the trick, once i realized the log haad allready been set at the top of the .conf

now, nice clean logs, for the first time since last summer :)
_________________
no signature available here
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum