You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Bryan Henry <br...@mail.utexas.edu> on 2002/03/03 01:52:55 UTC
Conditional Logging - Apache 2.0.28 - ignoring Nimda or Code Red
I have been trying for two weeks to configure my Apache server
not to log all the cmd.exe and root.exe requests from an
Nimda or Code Red infected IIS machine.
I definitely have read every faq entry and description in the manual
for setting SetEnvIf and CustomLog. In addition, every suggestion I
find on the web is not working for me either.
My goal is to not log any of these attacks, never seeing
these entries would make me very happy.
thank you for the assistance,
~ b r y a n h e n r y
Running - Apache/2.0.28 (Win32)
------------------------------------------------------------------
I have been only able to successfully log the following in attack.log
<-snipped ip and time-> "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404
805
<-snipped ip and time-> "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404
805
<-snipped ip and time-> "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 805
The following is the relevant section of my .conf file.
-------------------------------------------------------------------
<-snipped .conf->
#
# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a <VirtualHost>
# container, error messages relating to that virtual host will be
# logged here. If you *do* define an error logfile for a <VirtualHost>
# container, that host's errors will be logged there and not here.
#
ErrorLog logs/error.log
#
# LogLevel: Control the number of messages logged to the error.log.
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
#
LogLevel warn
#
# The following directives define some format nicknames for use with
# a CustomLog directive (see below).
#
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""
combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
# <<<< NOTE >>> I have used all kinds of combinations of the following
entries
SetEnvIf Request_URI "^/scripts/root\.exe" dontlog
SetEnvIf Request_URI "^/scripts/root\.exe^" dontlog
SetEnvIf Request_URI "^MSADC/root\.exe^" dontlog
SetEnvIf Request_URI "^MSADC/root\.exe" dontlog
SetEnvIf Request_URI "^/[cd]/winnt/system32/cmd\.exe^" dontlog
SetEnvIf Request_URI "^/[cd]/winnt/system32/cmd\.exe" dontlog
SetEnvIf Request_URI "^/scripts/*/winnt/system32/cmd\.exe^" dontlog
SetEnvIf Request_URI "^/scripts/*/winnt/system32/cmd\.exe" dontlog
SetEnvIf Request_URI "^/_vti_bin/*/winnt/system32/cmd\.exe^" dontlog
SetEnvIf Request_URI "^/_vti_bin/*/winnt/system32/cmd\.exe" dontlog
SetEnvIf Request_URI "^/_mem_bin/*/winnt/system32/cmd\.exe^" dontlog
SetEnvIf Request_URI "^/_mem_bin/*/winnt/system32/cmd\.exe" dontlog
SetEnvIf Request_URI "^/winnt/system32/cmd\.exe^" dontlog
SetEnvIf Request_URI "^/winnt/system32/cmd\.exe" dontlog
SetEnvIf Request_URI "^/*/winnt/system32/cmd\.exe^" dontlog
SetEnvIf Request_URI "^/*/winnt/system32/cmd\.exe" dontlog
SetEnvIf Request_URI "^/default\.ida^" dontlog
SetEnvIf Request_URI "^/default\.ida" dontlog
#
# The location and format of the access logfile (Common Logfile Format).
# If you do not define any access logfiles within a <VirtualHost>
# container, they will be logged here. Contrariwise, if you *do*
# define per-<VirtualHost> access logfiles, transactions will be
# logged therein and *not* in this file.
#
# <<<< NOTE >>>
# I have disabled the following line because I use the line below it instead
# Is this not correct?
#CustomLog logs/access.log common
CustomLog logs/access.log common env=!dontlog
CustomLog logs/attacks.log common env=dontlog
#
# If you would like to have agent and referer logfiles, uncomment the
# following directives.
#
CustomLog logs/referer.log referer
CustomLog logs/agent.log agent
#
# If you prefer a single logfile with access, agent, and referer information
# (Combined Logfile Format) you can use the following directive.
#
#CustomLog logs/access.log combined
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Conditional Logging - Apache 2.0.28 - ignoring Nimda or Code Red
Posted by Irmund Thum <it...@it97.dyn.dhs.org>.
C.Hays wrote:
> Well, i cant help with the logging however a small script using sed and will remove the entries from the existing logs.
> I have some entries i see all the time, that i just remove and cp over to new logs which are then parsed..
> works like a charm
>
> good luck
>
> On Sat, 2 Mar 2002 18:52:55 -0600
> "Bryan Henry" <br...@mail.utexas.edu> wrote:
>
>
>>I have been trying for two weeks to configure my Apache server
>>not to log all the cmd.exe and root.exe requests from an
>>Nimda or Code Red infected IIS machine.
>>
>>I definitely have read every faq entry and description in the manual
>>for setting SetEnvIf and CustomLog. In addition, every suggestion I
>>find on the web is not working for me either.
>>
>>My goal is to not log any of these attacks, never seeing
>>these entries would make me very happy.
>>
>>thank you for the assistance,
>>~ b r y a n h e n r y
this does the job for me and also under win you should be able to run a cron job
(winat, cron nt), and awk (or sed - look for cygwin)
awk '!/XXXXXX/ && !/NNNN/ && !/winnt\/system32/ &&
!/root.exe\?\//{print} ' access_log > t;>access_log;cat t > access_log; rm t
--
_ ___
| | Irmund Thum
| |
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Conditional Logging - Apache 2.0.28 - ignoring Nimda or Code Red
Posted by "C.Hays" <me...@pconline.com>.
Well, i cant help with the logging however a small script using sed and will remove the entries from the existing logs.
I have some entries i see all the time, that i just remove and cp over to new logs which are then parsed..
works like a charm
good luck
On Sat, 2 Mar 2002 18:52:55 -0600
"Bryan Henry" <br...@mail.utexas.edu> wrote:
> I have been trying for two weeks to configure my Apache server
> not to log all the cmd.exe and root.exe requests from an
> Nimda or Code Red infected IIS machine.
>
> I definitely have read every faq entry and description in the manual
> for setting SetEnvIf and CustomLog. In addition, every suggestion I
> find on the web is not working for me either.
>
> My goal is to not log any of these attacks, never seeing
> these entries would make me very happy.
>
> thank you for the assistance,
> ~ b r y a n h e n r y
>
> Running - Apache/2.0.28 (Win32)
> ------------------------------------------------------------------
>
> I have been only able to successfully log the following in attack.log
>
> <-snipped ip and time-> "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404
> 805
> <-snipped ip and time-> "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404
> 805
> <-snipped ip and time-> "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 805
>
>
> The following is the relevant section of my .conf file.
> -------------------------------------------------------------------
> <-snipped .conf->
> #
> # ErrorLog: The location of the error log file.
> # If you do not specify an ErrorLog directive within a <VirtualHost>
> # container, error messages relating to that virtual host will be
> # logged here. If you *do* define an error logfile for a <VirtualHost>
> # container, that host's errors will be logged there and not here.
> #
> ErrorLog logs/error.log
>
> #
> # LogLevel: Control the number of messages logged to the error.log.
> # Possible values include: debug, info, notice, warn, error, crit,
> # alert, emerg.
> #
> LogLevel warn
>
> #
> # The following directives define some format nicknames for use with
> # a CustomLog directive (see below).
> #
> LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""
> combined
> LogFormat "%h %l %u %t \"%r\" %>s %b" common
> LogFormat "%{Referer}i -> %U" referer
> LogFormat "%{User-agent}i" agent
>
> # <<<< NOTE >>> I have used all kinds of combinations of the following
> entries
> SetEnvIf Request_URI "^/scripts/root\.exe" dontlog
> SetEnvIf Request_URI "^/scripts/root\.exe^" dontlog
> SetEnvIf Request_URI "^MSADC/root\.exe^" dontlog
> SetEnvIf Request_URI "^MSADC/root\.exe" dontlog
> SetEnvIf Request_URI "^/[cd]/winnt/system32/cmd\.exe^" dontlog
> SetEnvIf Request_URI "^/[cd]/winnt/system32/cmd\.exe" dontlog
> SetEnvIf Request_URI "^/scripts/*/winnt/system32/cmd\.exe^" dontlog
> SetEnvIf Request_URI "^/scripts/*/winnt/system32/cmd\.exe" dontlog
> SetEnvIf Request_URI "^/_vti_bin/*/winnt/system32/cmd\.exe^" dontlog
> SetEnvIf Request_URI "^/_vti_bin/*/winnt/system32/cmd\.exe" dontlog
> SetEnvIf Request_URI "^/_mem_bin/*/winnt/system32/cmd\.exe^" dontlog
> SetEnvIf Request_URI "^/_mem_bin/*/winnt/system32/cmd\.exe" dontlog
> SetEnvIf Request_URI "^/winnt/system32/cmd\.exe^" dontlog
> SetEnvIf Request_URI "^/winnt/system32/cmd\.exe" dontlog
> SetEnvIf Request_URI "^/*/winnt/system32/cmd\.exe^" dontlog
> SetEnvIf Request_URI "^/*/winnt/system32/cmd\.exe" dontlog
> SetEnvIf Request_URI "^/default\.ida^" dontlog
> SetEnvIf Request_URI "^/default\.ida" dontlog
>
> #
> # The location and format of the access logfile (Common Logfile Format).
> # If you do not define any access logfiles within a <VirtualHost>
> # container, they will be logged here. Contrariwise, if you *do*
> # define per-<VirtualHost> access logfiles, transactions will be
> # logged therein and *not* in this file.
> #
> # <<<< NOTE >>>
> # I have disabled the following line because I use the line below it instead
> # Is this not correct?
> #CustomLog logs/access.log common
>
> CustomLog logs/access.log common env=!dontlog
> CustomLog logs/attacks.log common env=dontlog
>
> #
> # If you would like to have agent and referer logfiles, uncomment the
> # following directives.
> #
> CustomLog logs/referer.log referer
> CustomLog logs/agent.log agent
>
> #
> # If you prefer a single logfile with access, agent, and referer information
> # (Combined Logfile Format) you can use the following directive.
> #
> #CustomLog logs/access.log combined
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
--
Key fingerprint = C868 0131 8B45 6267 0B5F 3FE6 F39A E607 5B1D 0F82
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org