I've never found an address to report worms like these to Comcast, either. A few of the addresses that have contributed the most to my (long) apache logs have found their way into my ipchains rules, but beyond that, there doesn't seem to be much you can do about it, unless you're into gloating because Apache on Linux is immune to Code Red and Nimda :)
As for cleaning the offending lines out of your access_log, I suppose you could do it with grep -v or a perl script, but a good log analyzer should already know about the worms, and report them separately if at all. (Note -- I'm basing my definition of what a "good" log analyzer "should" do on what AWStats[1] does.) - Gary [1] http://awstats.sourceforge.net/ > I'm running apache on my linux box at home (comcast cable > connection) and my access_log is full of lines like this: > > 12.231.0.23 - - [12/Nov/2003:19:40:39 -0800] "GET /MSADC/root.exe?/c+dir > HTTP/1.0" 404 358 "-" "-" > 12.231.0.23 - - [12/Nov/2003:19:40:54 -0800] "GET > /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 372 "-" > "-" > > A quick search on google tells me this is either nimda or code red > trying to exploit IIS, and that I should notify the ISP that owns > the address where these are coming from. Sounds like a good idea to > me, but I'm not seeing anything on the comcast webpage (do a whois > on the address and it's for sure a comcast one) where I can call or > email this sort of thing in. Anybody here done that before? Is it > worth the trouble? > > Also, anyone know a good way to expunge this stuff from my log files > so I can see the more interesting information there? > > Thanks, > > Bryan ____________________ BYU Unix Users Group http://uug.byu.edu/ ___________________________________________________________________ List Info: http://uug.byu.edu/cgi-bin/mailman/listinfo/uug-list
