Re: Strings to search for in Apache Access log
From: ujay (ujay50-NOSPAM-@shaw.ca)Date: 03/03/02
- Previous message: Dimitri Maziuk: "Re: Strings to search for in Apache Access log"
- In reply to: Michael Heiming: "Re: Strings to search for in Apache Access log"
- Next in thread: Dimitri Maziuk: "Re: Strings to search for in Apache Access log"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: ujay <ujay50-NOSPAM-@shaw.ca> Date: Sun, 03 Mar 2002 17:30:17 GMT
Michael Heiming wrote:
> Kenneth Downs (<1128794.67uLZWGnKm@bullseye>):
>
>
>>Greetings!
>>
>>This is my first post to COLS, though I have been lurking here for
>>a couple of weeks now.
>>
>>I am a Linux newbie, though an extremely enthusiastic one. I have
>>been immersing myself in Linux for over 2 months now, and happy to
>>say that everything is really starting to make sense.
>>
>>I have a question about where I can find information on useful
>>strings to
>>search for in my Apache access log. Right now it contains half a
>>meg or so of /MSADC/root.exe and /c/winnt/system32/cmd.exe
>>entries, which apparently are Codered attempts.
>>
>>Anyway, the log is so choked with these Win crack attempts that a
>>manual
>>scan for Linux-specific attempts is useless. Therefore, I am
>>looking for a resource that can give me more info on what to
>>search for to see if anyone is trying something that is more
>>dangerous to me.
>>
>>Also, I suppose I might ask, is this even the right question to
>>ask? :)
>>
>>Any links, advice on what I should be asking, redirections, etc.,
>>is more than welcome, TIA...
>>
>
> Don't know if this still works, posted this about a year ago, when
> many people complained about nimda/code red crap in apaches
> access_log, you may have to change /XXXXXX/ to /MSADC\/root.exe/ to
> clean out your apache log with this one! liner, better try on a
> copy of access_log first.
>
> awk '!/XXXXXX/ && !/NNNN/ {print}' access_log >
> t;>access_log;cat t > access_log; rm t
>
> Michael Heiming
> --
> Remove the +SIGNS case mail bounces.
>
I recall seeing that post, and incorporated it into a script to allow
clearing of unwanted log entries.
if [ $# != 2 ] ; then
echo "syntax: $0 logfile text"
else
awk !/$2/{print} $1 > t;>$1;cat t > $1; rm t
fi
I called it clearlogtext, placed it in /usr/sbin, and then placed the
following lines in a script called /etc/cron.hourly/cleanIIScrap
/usr/sbin/clearlogtext /var/log/httpd/access_log \.exe
/usr/sbin/clearlogtext /var/log/httpd/access_log winnt
/usr/sbin/clearlogtext /var/log/httpd/error_log \.exe
/usr/sbin/clearlogtext /var/log/httpd/error_log winnt
/usr/sbin/clearlogtext /var/log/httpd/access_log \.ida
which gets rid of those annoying entries.
- Next message: Steve Cowles: "Re: Strings to search for in Apache Access log"
- Previous message: Dimitri Maziuk: "Re: Strings to search for in Apache Access log"
- In reply to: Michael Heiming: "Re: Strings to search for in Apache Access log"
- Next in thread: Dimitri Maziuk: "Re: Strings to search for in Apache Access log"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
