Stopping worms cluttering up your Apache logs
Fed up of 90% of your Apache log entries being failed requests for root.exe, cmd.exe and default.ida (caused by the Nmidia worm)? Here's how to stop it, put the following in your httpd.conf:
# Ignore worms
SetEnvIf Request_URI "/(cmd\.exe|root\.exe|default\.ida)$" DontLog
RewriteEngine on
RewriteCond %{REQUEST_URI} "/(cmd\.exe|root\.exe|default\.ida)$"
RewriteRule ^.*$ - [forbidden]
and on your CustomLog line, append !DontLog, so it looks like this:
CustomLog /var/apache/logs/access_log common env=!DontLog
The SetEnvIf and DontLog bits stop the request showing up in your access_log, and the Rewrite bits stop the failed request showing up in your error_log, as well as returning a 403 FORBIDDEN to the requesting PC.
Re: Stopping worms cluttering up your Apache logs
#
# Send MS IIS Exploits to the company who makes them all possible!
#
IfModule mod_rewrite.c>
RedirectMatch permanent (.*)cmd.exe(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)root.exe(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/_vti_bin\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/scripts\/\.\.(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/_mem_bin\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/msadc\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/MSADC\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/c\/winnt\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/d\/winnt\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/x90\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)SEARCH.x9(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)SEARCH..x9(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)SEARCH...x9(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)SEARCH....x9(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)SEARCH.....x9(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)default\.ida(.*)$ http://www.microsoft.com
/IfModule>