Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 19 Sep 2001 05:20:29 -0400
From:      Louis LeBlanc <leblanc+freebsd@acadia.ne.mediaone.net>
To:        freebsd-questions@FreeBSD.ORG
Subject:   Re: NEW VIRUS - Read this!(No the virus isn't included!) - CustomLog problem solved!
Message-ID:  <20010919052028.A87321@acadia.ne.mediaone.net>
In-Reply-To: <00f001c1409d$841b2860$c8e1b3d8@liquidground.com>
References:  <fa.i8s2cav.1cj05p6@ifi.uio.no> <00f001c1409d$841b2860$c8e1b3d8@liquidground.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 09/18/01 04:56 PM, DrTebi sat at the `puter and typed:
> A little help to keep your apache logs clean (it's not perfect, but does at
> least save you some of those stupid hacking attempts). Put this into your
> httpd.conf file:
> 
> # mircosoft viruses
> SetEnvIf Request_URI \.exe$ other=ms-bs
> SetEnvIf Request_URI \.dll$ other=ms-bs
> 
> CustomLog /path/to/your/access_log env=!other
> 
> 
> Any improvements are greatly appreciated.
> DrTebi

Ok, I had a little strange trouble at first, but this seems to have
fixed it:

  SetEnvIf Request_URI \.exe$ ms_bs
  SetEnvIf Request_URI \.dll$ ms_bs
  SetEnvIf Request_URI \share$ ms_bs

  CustomLog /var/log/httpsd/access_log common env=!ms_bs
  CustomLog /var/log/httpsd/ms-bs_log common env=ms_bs

The result is that these MS bs requests are not logged to access_log,
but are logged to ms-bs_log.  I think the missing 'common' token was
the problem.

Also, I believe the worm is requesting 'share' in some cases, so I
added that.  I believe I'll also add a line to keep these bs requests
out of error_log.

Thanks for the suggestion!

-- 
Louis LeBlanc       leblanc@acadia.ne.mediaone.net
Fully Funded Hobbyist, KeySlapper Extrordinaire :)
http://acadia.ne.mediaone.net                 ԿԬ

Arnold's Laws of Documentation:
  (1) If it should exist, it doesn't.
  (2) If it does exist, it's out of date.
  (3) Only documentation for useless programs transcends the first two laws.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010919052028.A87321>