LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 03-19-2005, 02:26 AM   #1
jon_k
Member
 
Registered: Jul 2003
Location: Fort Worth, Texas
Distribution: Mepis Linux 2004
Posts: 547

Rep: Reputation: 30
Trying to log MS exploits on apache to seperate file not working!


I created my own rules to try and dump those stupid MS exploits to a seperate log (and not clutter access.log) but it's not working!

[SOLVED] I posted my solution to the problem below. Hope it helps anyone who stumbles accross this via google or LQ.org search! :-)

Last edited by jon_k; 03-19-2005 at 04:22 AM.
 
Old 03-19-2005, 04:00 AM   #2
jon_k
Member
 
Registered: Jul 2003
Location: Fort Worth, Texas
Distribution: Mepis Linux 2004
Posts: 547

Original Poster
Rep: Reputation: 30
Solved!

After a bit of reading the apache manual I found a solution. Here's exactly what you need to copy to your httpd.conf:

Code:
# Jon Kelley's Apache Log Junk Filter
# Created Mar, 19 2005
# Website: http://www.uberleet.org
# E-Mail:  jonkelley@gmail.com

#FILTERS
# We'll use these directives to trap a bunch of worms/exploits.
<IfModule mod_setenvif.c>
   SetEnvIfNoCase Request_URI "/c/winnt/" worm !log
   SetEnvIfNoCase Request_URI "/d/winnt/" worm !log
   SetEnvIfNoCase Request_URI "/e/winnt/" worm !log
   SetEnvIfNoCase Request_URI "/f/winnt/" worm !log
   SetEnvIfNoCase Request_URI "/_mem_bin/..%255c../" worm !log
   SetEnvIfNoCase Request_URI "/msadc/..%255c../" worm !log
   SetEnvIfNoCase Request_URI "/MSADC/root.exe?" worm !log
   SetEnvIfNoCase Request_URI "null\.ida" worm !log
   SetEnvIfNoCase Request_URI "/scripts/..%252f../" worm !log
   SetEnvIfNoCase Request_URI "/scripts/..%25%35%63../" worm !log
   SetEnvIfNoCase Request_URI "/scripts/..%255c../winnt/" worm !log
   SetEnvIfNoCase Request_URI "/scripts/..%%35%63../" worm !log
   SetEnvIfNoCase Request_URI "/scripts/..%%35c../" worm !log
   SetEnvIfNoCase Request_URI "/scripts/..%c0%2f../" worm !log
   SetEnvIfNoCase Request_URI "/scripts/..%c0%af../" worm !log
   SetEnvIfNoCase Request_URI "/scripts/..%c1%1c../" worm !log
   SetEnvIfNoCase Request_URI "/scripts/..%c1%9c../" worm !log
   SetEnvIfNoCase Request_URI "/scripts/root.exe?" worm !log
   SetEnvIfNoCase Request_URI "/_vti_bin/..%255c../" worm !log
   SetEnvIfNoCase Request_URI "\/\x90\x02" worm !log
   SetEnvIf Request_URI "Admin\.dll" worm !log
   SetEnvIf Request_URI "(admin¦httpodbc)\.dll(.*)$" worm !log
   SetEnvIf Request_URI "cmd\.exe" worm !log
   SetEnvIf Request_URI "(cmd¦root¦shell)\.exe(.*)$" worm !log
   SetEnvIf Request_URI "^/default\.(ida¦idq)(.*)$" worm !log
   SetEnvIf Request_URI "default\.ida" worm !log
   SetEnvIf Request_URI "nsiislog\.dll(.*)$" worm !log
   SetEnvIf Request_URI "^PROPFIND(.*)$" worm !log
   SetEnvIf Request_URI "root\.exe" worm !log
   SetEnvIf Request_URI "_vti_inf\.html$" worm !log
</IfModule>

#OPTIONAL
# EVIL BIT: Redirect all this junk to the company who makes it possible!
# I mean, they should get to see the type of crap that us apache admins put up with.
<IfModule mod_rewrite.c>
  RewriteEngine On
	RedirectMatch permanent (.*)cmd.exe(.*)$  http://www.microsoft.com 
	RedirectMatch permanent (.*)root.exe(.*)$  http://www.microsoft.com 
	RedirectMatch permanent (.*)\/_vti_bin\/(.*)$  http://www.microsoft.com 	
	RedirectMatch permanent (.*)\/scripts\/\.\.(.*)$  http://www.microsoft.com
	RedirectMatch permanent (.*)\/_mem_bin\/(.*)$  http://www.microsoft.com 
	RedirectMatch permanent (.*)\/msadc\/(.*)$  http://www.microsoft.com 
	RedirectMatch permanent (.*)\/MSADC\/(.*)$  http://www.microsoft.com 
	RedirectMatch permanent (.*)\/c\/winnt\/(.*)$  http://www.microsoft.com 
	RedirectMatch permanent (.*)\/d\/winnt\/(.*)$  http://www.microsoft.com 
	RedirectMatch permanent (.*)\/x90\/(.*)$  http://www.microsoft.com 
</IfModule>

# Here's where you set your log locations.
# My logs are in /var/logs/apache, but you can put the logs
# wherever you like. If you don't wanna keep logs of the worms
# at all then you could even set that to /dev/null!
CustomLog /var/log/apache/access_log combined env=log
CustomLog /var/log/apache/worm.log combined env=worm

Last edited by jon_k; 03-19-2005 at 04:50 AM.
 
Old 03-19-2005, 10:54 AM   #3
NoStop
Member
 
Registered: Feb 2005
Location: Canada
Distribution: Debian Etch - Enlightenment E17
Posts: 116

Rep: Reputation: 15
Bravo! Posted it in my weblog to help spread the word. :-)

Cheers
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
sumthin peeping, apache exploits sneakyimp Linux - Security 5 01-17-2005 07:19 PM
Apache Log file question. GarroteYou Linux - Security 8 10-24-2004 06:51 AM
How do I view the default Apache access log file? johann519 Linux - General 2 05-10-2004 12:46 PM
Question about Apache Log File ? jerryjerryjerry Red Hat 0 04-18-2004 06:44 PM
Apache Log file (httpd.access_log) question eallen Linux - Networking 2 07-02-2002 11:29 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 05:51 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration