Stopping worms cluttering up your Apache logs
Fed up of 90% of your Apache log entries being failed requests for root.exe, cmd.exe and default.ida (caused by the Nmidia worm)? Here's how to stop it, put the following in your httpd.conf:
# Ignore worms SetEnvIf Request_URI "/(cmd\.exe|root\.exe|default\.ida)$" DontLog RewriteEngine on RewriteCond %{REQUEST_URI} "/(cmd\.exe|root\.exe|default\.ida)$" RewriteRule ^.*$ - [forbidden]
and on your CustomLog line, append !DontLog
, so it looks like this:
CustomLog /var/apache/logs/access_log common env=!DontLog
The SetEnvIf
and DontLog
bits stop the request showing up in your access_log
, and the Rewrite
bits stop the failed request showing up in your error_log
, as well as returning a 403 FORBIDDEN
to the requesting PC.
Re: Stopping worms cluttering up your Apache logs
#
# Send MS IIS Exploits to the company who makes them all possible!
#
IfModule mod_rewrite.c>
RedirectMatch permanent (.*)cmd.exe(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)root.exe(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/_vti_bin\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/scripts\/\.\.(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/_mem_bin\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/msadc\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/MSADC\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/c\/winnt\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/d\/winnt\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/x90\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)SEARCH.x9(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)SEARCH..x9(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)SEARCH...x9(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)SEARCH....x9(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)SEARCH.....x9(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)default\.ida(.*)$ http://www.microsoft.com
/IfModule>