Re: Apache logs and Nimda

From: David Correa (tech@linux-tech.com)
Date: 09/19/01


Date: Wed, 19 Sep 2001 11:24:31 -0700 (PDT)
From: David Correa <tech@linux-tech.com>
To: <security-discuss@linuxsecurity.com>
Subject: Re: Apache logs and Nimda
Message-ID: <Pine.LNX.4.32.0109191113010.11923-100000@yunque.10.10.10.254>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I implemented this fix and it has stopped the flood, Thanks! ; )

I have only seen one entry since I applied the fix:
"GET /default.ida?XXXXXXX .....

so i added (just in case) a line with:
Redirect gone /default.ida?
Not sure why the "?" is needed, but it *seems* like it worked.

I have not seen that request again in the log since (or the others).
Is only had been a few minutes since I implemented the fix but I can see
the difference.

Thank You,

david

On Wed, 19 Sep 2001 scott.dexter@ingenta.com wrote:
> *nod* a day of digging through Apache docs and tinkering. Now, who do I
> bill for my time? MS? :)
>
> Scott
>
> Patrick Duane Dunston wrote:
> >
> > NICE!!! This works beautifully. Thanks!!
> >
> > > I have been adding dirctives like these to cut down on the log size:
> > >
> > > SetEnvIfNoCase Request_URI "^/scripts/" nolog
> > > SetEnvIfNoCase Request_URI "^/msadc/" nolog
> > > SetEnvIfNoCase Request_URI "^/_vti_bin/" nolog
> > > SetEnvIfNoCase Request_URI "^/_mem_bin/" nolog
> > > SetEnvIfNoCase Request_URI "^/c/winnt/" nolog
> > > SetEnvIfNoCase Request_URI "^/d/winnt/" nolog
> > > SetEnvIfNoCase Request_URI "^/default.iba" nolog
> > > Redirect gone /scripts/
> > > Redirect gone /msadc/
> > > Redirect gone /_vti_bin/
> > > Redirect gone /_mem_bin/
> > > Redirect gone /c/winnt/
> > > Redirect gone /d/winnt/
> > > Redirect gone /default.ida
> > >
> > > Now add "env=!nolog" to the end of your CustomLog directive, like this:
> > >
> > > CustomLog /usr/local/apache/logs/access_log common env=!nolog

David Correa RHCE CCNA _ _ _ _ _ _ _ _ ___ ____ ____ _ _
tech@linux-tech.com | | |\ | | | \/ | |___ | |__|
http://www.linux-tech.com |___ | | \| |__| _/\_ | |___ |___ | |
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjuo4uMACgkQooSM3nZZ9di3cgCg2uip0OjxkW8ZXAT71G8ZxFxX
0ewAnjxOGb9eeyy7dOH80jibzLksPGdx
=YioZ
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
     To unsubscribe email security-discuss-request@linuxsecurity.com
         with "unsubscribe" in the subject of the message.