Re: nimbda and other apache attacks

From: Peter H. Lemieux (
Date: 10/25/01

Message-ID: <>
Date: Thu, 25 Oct 2001 13:35:04 -0400
From: "Peter H. Lemieux" <>
To: Brian Clifton <>
Subject: Re: nimbda and other apache attacks

> The thing I haven't figured, is why Nimbda attacks "cmd.exe" are being
> logged in both httpd_log and error_log files? I would have thought
> apache would put all this into error_log??

The infected machine does a "GET ...cmd.exe..." which, like any request,
gets logged to TransferLog. Then the "file not found" error that's
generated is logged to ErrorLog. This is Apache's normal behavior when
it receives a request for a file it can't return.

> However, the issue is that I have a number of http_log and error_log
> files and all require this setup (plus combinations of other attacks)
> and are also all being rotated with logrotate - starts to get messy!

To filter your logs, you'll want to use SetEnvIf to identify attacks,
then use a CustomLog statement to redirect the log entries somewhere
else. Something like [not guaranteed :)]

SetEnvIf Request_URI "cmd\.exe" ATTACK
SetEnvIf Request_URI "root\.exe" ATTACK
CustomLog /path/to/attack.log common env=ATTACK
CustomLog /path/to/transfer.log common env=!ATTACK

This should redirect any GETs that include requests for either cmd.exe
or root.exe to attack.log while sending all normal requests to
transfer.log (both in the "common" log format). You might want to
construct similar redirections for ErrorLog. You'll obviously need one
of these specifications for any IP-based virtual host with a unique log
that you want to filter. ("Name" virtual hosts generally won't see any
attacks since the worm uses IP addresses, not virtual hostnames.) This
will keep the attacks out of your normal logs.

If you're counting infection attempts, you'll still have the problem of
handling multiple requests from the same infected host. Each host makes
at least two requests per attempt and often makes multiple attempts over
a period of days. Some strains of the virus seem very insistent. I have
some entries where the same host tried dozens of times over three or
four days.

I find the page a
useful item to keep in my bookmarks. Tough reading, though!