Forum Moderators: phranque
i have been trying this stuff for over a year and finally decided i was fed up with it and am going to post
i found one syntax that seems to work for a few minutes but i am not sure why it stops. one thing i have it set up for is to nolog my ip address, this works once then any subsequent hits are fully logged.
this is the only one that i can seem to get close to working.
please keep in mind that i really don't know what i am doing here, just copy pasting the info into my conf file
LogFormat "%h %l %u %t \"%!414r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined # Windows Media Attack
SetEnvIf Request_URI "nsiislog\.dll(.*)$" nolog
# Code Red
SetEnvIf Request_URI "^/default\.(ida¦idq)(.*)$" nolog
# Nimda
SetEnvIf Request_URI "(cmd¦root¦shell)\.exe(.*)$" nolog
SetEnvIf Request_URI "(admin¦httpodbc)\.dll(.*)$" nolog
# Proxy scan
SetEnvIf Request_URI "prxjdg.cgi" nolog
# Don't log local requests
SetEnvIf Remote_Addr "127\.0\.0\.1" nolog
if an .htaccess can stop it that would be great, i just don't want to see anything in my logs that i don't need to see
May I ask why you DON'T want to log these attacks? Admittedly, they are pretty common (we get 1-2 dozen of them each day), but I certainly WANT to know about them!
I would be VERY reluctant to exclude ANYTHING from my logs! I toyed with the idea of excluding local access, but decided against it.
Your logs are the lifebeat of your server, and I'm sure I want to monitor EVERY bit of it. And it can be forensic data as well...
that's the simple answer.
i say this knowing that i risk some karmic retribution, but it is run off of my home server and i feel pretty safe that since these attacks are geared towards windows machines, they are harmless to my mac. i also have netbarrier which logs all of these. i check the apache logs much more than the netbarrier logs (if i ever look at them). if i could figure out how to block this stuff with netbarrier i would do that too.
