While CodeRed and Nimda have stopped being majorly annoying, I still get hit by infected computers looking to infect my Apache web server. Ha! Good luck. Not gunna happen. What it does do, however, is clog up my error_log files.
What I've done is take advantage of the strength of apache to set some variables and log these worm attacks elsewhere:
# For Code Red
SetEnvIf Request_URI "^/default.ida" iisworm
# For nimna (or whatever it's called)
SetEnvIf Request_URI "^/scripts" iisworm
# ... ditto all the way down
SetEnvIf Request_URI "^/c/winnt" iisworm
SetEnvIf Request_URI "^/_mem_bin" iisworm
SetEnvIf Request_URI "^/_vti_bin" iisworm
SetEnvIf Request_URI "^/MSADC" iisworm
SetEnvIf Request_URI "^/msadc" iisworm
SetEnvIf Request_URI "^/d/winnt" iisworm
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" virt_host_combined
CustomLog /usr/local/apache/var/log/www/access_log combined env=!iisworm
CustomLog /usr/local/apache/var/log/iisworm.log virt_host_combined env=iisworm
So real hits get logged as normal, and any IIS worm related hits get logged elsewhere.
What's great about this method is that it allow me to define the environment variables once, and then use them in an VirtualHosts that I have defined. The virt_host_combined directive tells Apache to log which VirtualHost is getting hit.
Posted by mark at November 11, 2003 11:21 AM | TrackBack