I found a post on Bugtraq that deals w/ configuring Apache to not log worm attacks. I modified it slightly: # Don't log worm attacks SetEnvIf Request_URI "/winnt/system32/cmd\.exe" worm SetEnvIf Request_URI "/scripts/root\.exe" worm SetEnvIf Request_URI "/MSADC/root\.exe" worm SetEnvIf Request_URI "/\.\." worm SetEnvIf Request_URI "\.\./" worm
CustomLog /dev/null env=worm # End worm stuff add that to httpd.conf and restart apache to prevent your logs from filling up. Note that this doesn't prevent your machine from processing the requests, just from logging them. To blackhole the offending computer, you could do something like (untested) CustomLog "|exec sh" "/sbin/ipchains -I input -s REMOTE_HOST -j DENY" env=nimda (matter of fact, if someone could try that and report success/failure.. that'd be kewl) -- Douglas J. Hunley Unix/Linux Admin http://linux.nf Down the wire, off the router, through the firewall, nothing but 'Net... _______________________________________________ Linux-users mailing list Archives, Digests, etc at http://linux.nf/mailman/listinfo/linux-users
