Well first hit didnt turn out to bad... Typical nimda worm hit here(Of course excuse the wordwrap): 63.44.253.111 - - [10/Nov/2001:02:49:01 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 319 63.44.253.111 - - [10/Nov/2001:02:49:02 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 317 63.44.253.111 - - [10/Nov/2001:02:49:03 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 327 63.44.253.111 - - [10/Nov/2001:02:49:04 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 327 63.44.253.111 - - [10/Nov/2001:02:49:05 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 341 63.44.253.111 - - [10/Nov/2001:02:49:06 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 358 63.44.253.111 - - [10/Nov/2001:02:49:07 -0500] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 358 63.44.253.111 - - [10/Nov/2001:02:49:08 -0500] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 374 63.44.253.111 - - [10/Nov/2001:02:49:09 -0500] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 340 63.44.253.111 - - [10/Nov/2001:02:49:10 -0500] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 340 63.44.253.111 - - [10/Nov/2001:02:49:11 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 340 63.44.253.111 - - [10/Nov/2001:02:49:12 -0500] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 340 63.44.253.111 - - [10/Nov/2001:02:49:13 -0500] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 324 63.44.253.111 - - [10/Nov/2001:02:49:13 -0500] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 324 63.44.253.111 - - [10/Nov/2001:02:49:15 -0500] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 341 63.44.253.111 - - [10/Nov/2001:02:49:16 -0500] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 341
Modified httpd.conf items you pointed out for us to add(I wanted to get he whole enchilada..): # Don't log worm attacks SetEnvIf Request_URI "/winnt/system32/cmd\.exe" worm SetEnvIf Request_URI "/scripts/root\.exe" worm SetEnvIf Request_URI "/MSADC/root\.exe" worm SetEnvIf Request_URI "/\.\." worm SetEnvIf Request_URI "\.\./" worm SetEnvIf Request_URI " /msadc/" worm SetEnvIf Request_URI "/c/winnt/" worm SetEnvIf Request_URI "/d/winnt/" worm SetEnvIf Request_URI "/scripts/" worm SetEnvIf Request_URI "/_vti_bin/" worm SetEnvIf Request_URI "/_mem_bin/" worm CustomLog /dev/null env=worm CustomLog "|exec sh" "/sbin/ipchains -I input -s REMOTE_HOST -j DENY" env=nimda # End worm stuff Errors in httpd eror_log: [Sat Nov 10 02:49:01 2001] [error] [client 63.44.253.111] File does not exist: /home/httpd/html/scripts/root.exe [Sat Nov 10 02:49:02 2001] [error] [client 63.44.253.111] File does not exist: /home/httpd/html/MSADC/root.exe [Sat Nov 10 02:49:03 2001] [error] [client 63.44.253.111] File does not exist: /home/httpd/html/c/winnt/system32/cmd.exe [Sat Nov 10 02:49:04 2001] [error] [client 63.44.253.111] File does not exist: /home/httpd/html/d/winnt/system32/cmd.exe [Sat Nov 10 02:49:05 2001] [error] [client 63.44.253.111] File does not exist: /home/httpd/html/scripts/..%5c../winnt/system32/cmd.exe [Sat Nov 10 02:49:06 2001] [error] [client 63.44.253.111] File does not exist: /home/httpd/html/_vti_bin/..%5c../..%5c../..%5c../winnt/system$[Sat Nov 10 02:49:07 2001] [error] [client 63.44.253.111] File does not exist: /home/httpd/html/_mem_bin/..%5c../..%5c../..%5c../winnt/system$[Sat Nov 10 02:49:08 2001] [error] [client 63.44.253.111] File does not exist: /home/httpd/html/msadc/..%5c../..%5c../..%5c/..Á^\../..Á^\../.$[Sat Nov 10 02:49:09 2001] [error] [client 63.44.253.111] File does not exist: /home/httpd/html/scripts/..Á^\../winnt/system32/cmd.exe [Sat Nov 10 02:49:11 2001] [error] [client 63.44.253.111] File does not exist: /home/httpd/html/scripts/..À¯../winnt/system32/cmd.exe [Sat Nov 10 02:49:12 2001] [error] [client 63.44.253.111] File does not exist: /home/httpd/html/scripts/..Áœ../winnt/system32/cmd.exe [Sat Nov 10 02:49:15 2001] [error] [client 63.44.253.111] File does not exist: /home/httpd/html/scripts/..%5c../winnt/system32/cmd.exe [Sat Nov 10 02:49:16 2001] [error] [client 63.44.253.111] File does not exist: /home/httpd/html/scripts/..%2f../winnt/system32/cmd.exe Didn't notice whether the "CustomLog "|exec sh" "/sbin/ipchains -I input -s REMOTE_HOST -j DENY" env=nimda" worked or not.. don't think so as I have no denies in tail messages all night. I owe, I owe, so it's off to work I go.... <snip> > On Friday 09 November 2001 07:56, you were heard blurting out: > > I found a post on Bugtraq that deals w/ configuring Apache to not log > > worm attacks. I modified it slightly: # Don't log worm attacks > > SetEnvIf Request_URI "/winnt/system32/cmd\.exe" worm > > SetEnvIf Request_URI "/scripts/root\.exe" worm > > SetEnvIf Request_URI "/MSADC/root\.exe" worm > > SetEnvIf Request_URI "/\.\." worm > > SetEnvIf Request_URI "\.\./" worm > > > > CustomLog /dev/null env=worm > > # End worm stuff > > > > add that to httpd.conf and restart apache to prevent your logs from > > filling up. Note that this doesn't prevent your machine from processing > > the requests, just from logging them. To blackhole the offending > > computer, you could do something like (untested) > > > > CustomLog "|exec sh" "/sbin/ipchains -I input -s REMOTE_HOST -j DENY" > > env=nimda > > > > (matter of fact, if someone could try that and report success/failure.. > > that'd be kewl) > > > > -- > > Douglas J. Hunley > > Unix/Linux Admin > > http://linux.nf > > > > Down the wire, off the router, > > through the firewall, nothing > > but 'Net... > > > > _______________________________________________ > > Linux-users mailing list > > Archives, Digests, etc at http://linux.nf/mailman/listinfo/linux-users -- Bill Day ( a.k.a. BadMan ) 188133 http://counter.li.org irc.openprojects.net #linux-users ( Open 24/7 ) Our crystal tears now fall upon the ashes, but from the dust shall grow a spirit, to be in compassion for those who are lost, and one in determination to break those who dare test our resolve to be free... http://www.daysdomain.com/tribute.html 4:30am up 100 days, 19:01, 22 users, load average: 0.00, 0.00, 0.00 _______________________________________________ Linux-users mailing list Archives, Digests, etc at http://linux.nf/mailman/listinfo/linux-users
