From owner-freebsd-questions Wed Sep 19 7: 0:18 2001 Delivered-To: freebsd-questions@freebsd.org Received: from smtp013.mail.yahoo.com (smtp013.mail.yahoo.com [216.136.173.57]) by hub.freebsd.org (Postfix) with SMTP id 6CA2E37B41B for ; Wed, 19 Sep 2001 07:00:14 -0700 (PDT) Received: from unknown (HELO RAMBUS) (216.179.225.200) by smtp.mail.vip.sc5.yahoo.com with SMTP; 19 Sep 2001 13:58:05 -0000 X-Apparently-From: Message-ID: <003701c14113$24f36700$c8e1b3d8@liquidground.com> Reply-To: "DrTebi" From: "DrTebi" To: , References: Subject: Re: NEW VIRUS - Read this!(No the virus isn't included!) - CustomLog problem solved! Date: Wed, 19 Sep 2001 06:58:21 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi, damn, I am sorry, when I copied it over it seems like I DID forget the 'common' keyword. What this does: Everytime a request for one of those MS things comes in, apache sets up a variable "other" and names it "ms-bs". Next I am defining a custom log, and by putting "env=!ms-bs", I am telling apache to NOT log the request if the "other" enviroment variable has been set to "ms-bs". It is not necessary to additionally set up another log that WILL log the ms-bs stuff. This can just be left off, and simply nothing will be logged when the ms-bs variable is set. It will still show up in the error_log though. If you want to take this a step further, you might try to puzzle something together with an alias match to point it to a dummy-page, e.g. AliasMatch /scripts/.* "/path/to/htdocs/dummypage.html" You just have to be sure that there is nothing on your webserver that actually uses a directory called "scripts". However, I did this for my server, and it works fine, both my error_log and access_log are almost clean of MS-BS now. There are still requests for other locations like "/c/winnt/system....", "/d/winnt/..." and some "_mem_bin" etc., so you might want to filter that out too. Maybe we should try to make this work a little better altogether... filter out what the virus is exactly requesting for etc. I am in. DrTebi ----- Original Message ----- From: "Louis LeBlanc" Newsgroups: fa.freebsd.questions To: Sent: Wednesday, September 19, 2001 2:24 AM Subject: Re: NEW VIRUS - Read this!(No the virus isn't included!) - CustomLog problem solved! > On 09/18/01 04:56 PM, DrTebi sat at the `puter and typed: > > A little help to keep your apache logs clean (it's not perfect, but does at > > least save you some of those stupid hacking attempts). Put this into your > > httpd.conf file: > > > > # mircosoft viruses > > SetEnvIf Request_URI \.exe$ other=ms-bs > > SetEnvIf Request_URI \.dll$ other=ms-bs > > > > CustomLog /path/to/your/access_log env=!other > > > > > > Any improvements are greatly appreciated. > > DrTebi > > Ok, I had a little strange trouble at first, but this seems to have > fixed it: > > SetEnvIf Request_URI \.exe$ ms_bs > SetEnvIf Request_URI \.dll$ ms_bs > SetEnvIf Request_URI \share$ ms_bs > > CustomLog /var/log/httpsd/access_log common env=!ms_bs > CustomLog /var/log/httpsd/ms-bs_log common env=ms_bs > > The result is that these MS bs requests are not logged to access_log, > but are logged to ms-bs_log. I think the missing 'common' token was > the problem. > > Also, I believe the worm is requesting 'share' in some cases, so I > added that. I believe I'll also add a line to keep these bs requests > out of error_log. > > Thanks for the suggestion! > > -- > Louis LeBlanc leblanc@acadia.ne.mediaone.net > Fully Funded Hobbyist, KeySlapper Extrordinaire :) > http://acadia.ne.mediaone.net ԿԬ > > Arnold's Laws of Documentation: > (1) If it should exist, it doesn't. > (2) If it does exist, it's out of date. > (3) Only documentation for useless programs transcends the first two laws. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message