W. Jeffrey Rankin ([EMAIL PROTECTED]; Monday, July 01, 2002 3:53 PM):
> I'm wondering whether I could (or should) exclude these types of > 'hack' attempts from my web stats: Should depends on whether it's important to you to know how much traffic they generate. > [Sun Jun 30 11:00:25 2002] [error] [client ***.***.***.***] File does not > exist: /usr/local/apache/2.0.39/htdocs/_vti_bin > ... > [Sun Jun 30 05:16:46 2002] [error] [client ***.***.***.***] File does not > exist: /usr/local/apache/2.0.39/htdocs/MSADC > ... > [Tue Jun 25 17:49:42 2002] [error] [client ***.***.***.***] File does not > exist: /usr/local/apache/2.0.39/htdocs/scripts > ... > I'm getting hundreds of such requests every week (in various other forms > like calls to 'cmd.exe', whatever that is!). These may be attack attempts from IIS servers infected with one or more of the worms that came out in the last year that exploit vulnerabilities in the shipped versions of IIS. Although the ones you list look like attacks on FrontPage support for Linux systems. > They show up as 404 errors in my web stats. Because your server (presumably) is not IIS (or is secured). > I think I should exclude them as they're not really valid requests > for files that can't be found. I'm wondering if I can do a > REQEXCLUDE or similar directive in combination with a regex. My > attempts so far have not been successful. REQEXCLUDE will remove them from the Request Report. But these are all failed requests, so they should only show up in the Failed Request Report. To remove them from that report only, use FAILEXCLUDE, but they still will be included in host reports, general summary, etc. If you want to exclude these from all reports (as if the lines had not been there) then use FILEEXCLUDE. There are numerous examples of exclusion patterns in the list archives of this list. Look for "Nimda" or "Code Red." However, this should cover most of them: FILEEXCLUDE /*/htdocs/* FILEEXCLUDE /*/cmd.exe -- Jeremy Wadsack Wadsack-Allen Digital Group +------------------------------------------------------------------------ | This is the analog-help mailing list. To unsubscribe from this | mailing list, go to | http://lists.isite.net/listgate/analog-help/unsubscribe.html | | List archives are available at | http://www.mail-archive.com/analog-help@lists.isite.net/ | http://lists.isite.net/listgate/analog-help/archives/ | http://www.tallylist.com/archives/index.cfm/mlist.7 +------------------------------------------------------------------------
