Stopping worms cluttering up your Apache logs

Fed up of 90% of your Apache log entries being failed requests for root.exe, cmd.exe and default.ida (caused by the Nmidia worm)? Here's how to stop it, put the following in your httpd.conf:

# Ignore worms
SetEnvIf        Request_URI "/(cmd\.exe|root\.exe|default\.ida)$" DontLog
RewriteEngine   on
RewriteCond     %{REQUEST_URI}  "/(cmd\.exe|root\.exe|default\.ida)$"
RewriteRule     ^.*$    - [forbidden]

and on your CustomLog line, append !DontLog, so it looks like this:

CustomLog               /var/apache/logs/access_log common env=!DontLog

The SetEnvIf and DontLog bits stop the request showing up in your access_log, and the Rewrite bits stop the failed request showing up in your error_log, as well as returning a 403 FORBIDDEN to the requesting PC.

Tags : , ,
Categories : Web, Tech


Re: Stopping worms cluttering up your Apache logs

How can you change your SetEnvIf to stop the problem of the log being filled up with this sort of junk? 68.103.169.233 - - [04/Apr/2004:01:25:54 -0500] "SEARCH /\x90\x02\xb1\x02\xb1\x02 etc. etc. Thanks

Re: Stopping worms cluttering up your Apache logs

# # Send MS IIS Exploits to the company who makes them all possible! # IfModule mod_rewrite.c> RedirectMatch permanent (.*)cmd.exe(.*)$ http://www.microsoft.com RedirectMatch permanent (.*)root.exe(.*)$ http://www.microsoft.com RedirectMatch permanent (.*)\/_vti_bin\/(.*)$ http://www.microsoft.com RedirectMatch permanent (.*)\/scripts\/\.\.(.*)$ http://www.microsoft.com RedirectMatch permanent (.*)\/_mem_bin\/(.*)$ http://www.microsoft.com RedirectMatch permanent (.*)\/msadc\/(.*)$ http://www.microsoft.com RedirectMatch permanent (.*)\/MSADC\/(.*)$ http://www.microsoft.com RedirectMatch permanent (.*)\/c\/winnt\/(.*)$ http://www.microsoft.com RedirectMatch permanent (.*)\/d\/winnt\/(.*)$ http://www.microsoft.com RedirectMatch permanent (.*)\/x90\/(.*)$ http://www.microsoft.com RedirectMatch permanent (.*)SEARCH.x9(.*)$ http://www.microsoft.com RedirectMatch permanent (.*)SEARCH..x9(.*)$ http://www.microsoft.com RedirectMatch permanent (.*)SEARCH...x9(.*)$ http://www.microsoft.com RedirectMatch permanent (.*)SEARCH....x9(.*)$ http://www.microsoft.com RedirectMatch permanent (.*)SEARCH.....x9(.*)$ http://www.microsoft.com RedirectMatch permanent (.*)default\.ida(.*)$ http://www.microsoft.com /IfModule>