From owner-freebsd-questions Wed Oct 17 8:30:19 2001 Delivered-To: freebsd-questions@freebsd.org Received: from mail-relay1.mirrorimage.net (mail-relay1.mirrorimage.net [209.58.140.11]) by hub.freebsd.org (Postfix) with ESMTP id 7474937B403 for ; Wed, 17 Oct 2001 08:30:02 -0700 (PDT) Received: from leblanc.mirrorimage.net (leblanc.mirrorimage.net [209.192.210.146]) by mail-relay1.mirrorimage.net (8.9.3/8.9.3) with ESMTP id LAA17465 for ; Wed, 17 Oct 2001 11:30:01 -0400 Received: (from leblanc@localhost) by leblanc.mirrorimage.net (8.11.6/8.11.4) id f9HFUX302099 for questions@FreeBSD.ORG; Wed, 17 Oct 2001 11:30:33 -0400 (EDT) (envelope-from leblanc) Date: Wed, 17 Oct 2001 11:30:32 -0400 From: Louis LeBlanc To: questions@FreeBSD.ORG Subject: Re: nimda & code-red & apache error logs Message-ID: <20011017113032.A95075@acadia.ne.mediaone.net> Reply-To: freebsd-questions@FreeBSD.ORG Mail-Followup-To: questions@FreeBSD.ORG References: <000f01c15705$108529e0$37b4a8c0@pretorian> <20011017074511.U85958-100000@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20011017074511.U85958-100000@localhost> User-Agent: Mutt/1.3.22.1i X-bright-idea: Lets abolish HTML mail! Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On 10/17/01 07:46 AM, David Kirchner sat at the `puter and typed: > On Wed, 17 Oct 2001, Maine LOA List Admin (Brent Bailey) wrote: > > > IM running a 4.3 FBSD machine that has apache 1.3.19 ..I'm aware that these > > viri are intended for IIS webservers ..but on my webservers ... machines > > that are infected with nimda or code-red trying to access my apache > > webservers ..is creating a ton of error logs ..im not sure this is affecting > > the performance of the box ..but i know that the amount of windows machines > > infected from these viri in crazy. > > > > seems most all the machines ive seen trying to access my webserver are from > > class A ip addresses...of 65.x.x.x > > is there a way to either stop the amount of loging this is causing ?? or at > > least stop the logging from these types of requests.. > > > > Brent > > The most elegant (IE simple) way I've seen people do this is to change > your ErrorLog line from: > > ErrorLog /usr/local/example_path/logs/error_log > > to: > > ErrorLog "|egrep -v '\.exe' >> /usr/local/example_path/logs/error_log" This would probably work, but you'll kill your server invoking egrep for every single log entry. Check out http://acadia.ne.mediaone.net/Nimda/ for some ideas on reporting infections and reducing/eliminating these log entries. But I'll snip the important bit for eliminating the log entries: . . . you can also keep it out of the access logs (along with the other Nimda and CodeRed hits) with the following configuration directives in your httpd.conf: SetEnvIf Request_URI \.exe$ ms_bs SetEnvIf Request_URI \.dll$ ms_bs SetEnvIf Request_URI \default.ida ms_bs CustomLog /var/log/httpsd/access_log common env=!ms_bs CustomLog /WWW/log/ms-bs_log common env=ms_bs Of course, you'll need to modify the paths in the last two lines, and if you just leave out the last line, you won't even have to deal with these entries. Personally, I think we should just email them all to Bill Gates! :-) . . . Now the last CustomLog line will direct all MS BS to the specified log. Ommitting that line altogether will just throw those entries out and you will never see them. If you want to report these infections to the abuse authorities, install the Apache::CodeRed and Apache::Nimda perl modules and configure them appropriately. These modules will add a small amount of load to your server, but only until the number of infected servers starts to drop. However, there is a pretty good caching mechanism that skips all subsequent hits from a given IP for a 24 hour period (can be reconfigured if you want). If you don't want to get any responses from the abuse authorities or see any of the reports yourself (it can turn into quite a few mail messages) you can just munge the address so that your real address can be determined by a human reader. I have not seen a single CodeRed hit in about a week, probably because Nimda is a bigger bug and probably takes over the CodeRed turf. Most (95% at least) of the hits I see are from the 65.x.x.x class of IPs, mostly from home.com, rr.com, and mediaone.net. As bugs go, Nimda has to be the most interesting I've seen so far. I've probably gotten well over 150,000 hits from that one alone. The scary thing is that some servers got that within the first couple days. Man. HTH Lou -- Louis LeBlanc leblanc@acadia.ne.mediaone.net Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://acadia.ne.mediaone.net ԿԬ Eternal nothingness is fine if you happen to be dressed for it. -- Woody Allen To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message