Hello,
There are several WindowsNT viruses trying to get into webservers (search,
in example "Nimda Worm" in Google, to have more information.)
What I'm doing to avoid the error log on my systems is bounce these requests
to a script using mod_rewrite. In httpd.conf, I add this:
####### Worm Catch #######
RewriteEngine on
# Nimda Worm!
RewriteRule ^/(.*)\.[exe|dll|ida] /myPath/WormCatch/Nimda-Worm.pl
[T=application/x-httpd-cgi,L]
<Directory "/vhome/WormCatch">
AllowOverride None
Options ExecCGI
Order allow,deny
Allow from all
</Directory>
###### / Worm Catch ######
The script is very simple: it just send an output line and increase the
value of a counter.
Regards,
Tomás
> hi guys,
>
> I found the lines shown below in apache log messages and I got a feeling i m
> hacked.
>
> Sat Aug 17 15:36:51 2002] [error] [client 192.168.0.188] File does not exist:
> /usr/local/argon/doc/_vti_bin/shtml.exe/_vti_rpc
> [Sat Aug 17 15:38:58 2002] [error] [client 192.168.0.188] File does not exist:
> /usr/local/argon/doc/_vti_inf.html
> [Sat Aug 17 15:38:59 2002] [error] [client 192.168.0.188] File does not exist:
> /usr/local/argon/doc/_vti_bin/shtml.exe/_vti_rpc
> [Sat Aug 17 16:27:54 2002] [error] [client 192.168.0.188] File does not exist:
> /usr/local/argon/doc/_vti_inf.html
> [Sat Aug 17 16:27:54 2002] [error] [client 192.168.0.188] File does not exist:
> /usr/local/argon/doc/_vti_bin/shtml.exe/_vti_rpc
>
> Can u pls confirm me about the same and help me out to block it.
> Note:I did not find any logs in /var/log/secure and /var/log/messages from Aug
> 13 to Aug 17 as well.
>
> Thanks & Warm Regards
> =======================
> Ashwin Khandare
> Engineer
> Western Outdoor Interactive
+-- --+
Tomás García Ferrari
Bigital
http://bigital.com/
+-- --+
--
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
