Welcome to WebmasterWorld Guest from 18.104.22.168
Sorry for the rant, real question. My logs are getting really big and I have a limited upwards bandwith by using my personal cable modem to serve web pages. I found the discussion that took place on this forum in Sept 2001 and a suggestion was given to do the following.
This is the previous thread:
So were does the following code go? Is this something in html that I don't recognize or something in Apache conf file?
If I miss read the previous post than I pose this question.
What are people doing? Cleaning there logs or blocking the IP addresses as they get hit?
SetEnvIfNoCase Request_URI "^/default.ida" ban
SetEnvIfNoCase Request_URI "^/scripts" ban
SetEnvIfNoCase Request_URI "^/c/winnt" ban
SetEnvIfNoCase Request_URI "^/_mem_bin" ban
SetEnvIfNoCase Request_URI "^/_vti_bin" ban
SetEnvIfNoCase Request_URI "^/msadc" ban
SetEnvIfNoCase Request_URI "^/d/winnt" ban
<Limit GET POST>
deny from env=ban
allow from all
All requests to Apache are logged so they will appear in your access_log.
Key_Master's suggestion is half way to a solution but it won't block the requests or prevent them from being logged. It only assigns an environment variable ban to them and logs 403 errors.
We need to configure Apache to prevent logging of them. To do this add env=!ban to the end of your CustomLog directive in httpd.conf
These are a couple of examples.
CustomLog logs/access_log combined env=!ban
CustomLog /home/mysite/logs/access_log combined env=!ban
Apache needs to be restarted for this to work. Now all these junk requests will not be logged to access_log but they will still appear in your error_log.
If your not sure where httpd.conf is, type locate httpd.conf and the full path should be displayed.
Before editing httpd.conf MAKE A BACKUP Even a small typo error will prevent Apache from restarting
Also, you should put the SetEnvIf directives in httpd.conf or srm.conf instead of .htaccess for the Nimda/Code Red requests.
All the Nimda requests end with either
root.exe or cmd.exe
so this is all that is needed in srm.conf or httpd.conf
SetEnvIf Request_URI (.*)cmd\.exe ban
SetEnvIf Request_URI (.*)root\.exe ban
SetEnvIf Request_URI \.ida(.*)$ ban
More info can be found at
Not necessarily a good assumption. If you do an analysis of incoming IP numbers from "average" (that is, pre-Code Red/Nimda) surfers, you will discover that the breakdown by Class A IP quad is extremely uneven from 0 to 255.
I did such an analysis, prior to the Code Red onslaught last summer. Based on a sample of over 100,000, over one third of the Class A were close to zero hits, over one third were fairly low, and less than one third were very high.
The distribution is very, very uneven. That's why Code Red didn't propagate as fast as Nimda. In Code Red, the IP number targeted by infected machies was generated randomly. Two-thirds of its effort was wasted on Class As that didn't go hardly anywhere.
Starting with Nimda, the IP generation routine gave heavy priority to the Class A of the machine that was infected. That neatly solved the problem of wasted attacks, as the outgoing attacks were now proportional to the actual Class As in use on the Internet.
Therefore, Nimda propagated much more quickly than Code Red. Almost all the probes you see will be from your same Class A, because all the virus writers from here on out will not be repeating the mistake of generating the attack IPs using a random generator.
I want to shut down the server that
keeps nimda'ing me.
Is this possible? If so how do I do it,
I can't stand these bad hits anymore.
If no one knows the answer, where might
I find it?
I search all over google and
there is no information.