[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] NIMDA

Subject: Re: [cobalt-users] NIMDA
From: Tomas Garcia Ferrari <tgf@xxxxxxxxxxx>
Date: Sat Sep 29 19:31:02 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

on 30/9/2001 10:39 AM, Carrie Bartkowiak at ravencarrie@xxxxxxxx wrote:

> On Sun, 30 Sep 2001 10:09:13 +0300, Mustafa Cavcar mumbled something like:
>>> How are we going to stop these NIMDA attacks filling logs?
> 
> Quite honestly, the only thing I can think of is to unplug the server. Maybe
> contacting your upstream provider might help, if they can block the traffic at
> the router, but since they're normal web requests (from what I gather; I
> wasn't getting mail for the big Nimda discussion) you can't block them and
> can't stop them from getting recorded in your logs.

Well, in my opinion, this is not absolutely correct. What you can do is (as
example) this:

1. Give something out when somebody request .exe, .dll, or .ida files.
    (you can do this using mod_rewrite)

####### Worm Catch #######
RewriteEngine on
# Nimda Worm!
# The next 2 lines must be 1 line!
RewriteRule   ^/(.*)\.[exe|dll|ida]  /YourDirectory/WormCatch/Nimda-Worm.pl
[T=application/x-httpd-cgi,L]
<Directory "/YourDirectory/WormCatch">
AllowOverride None
Options ExecCGI
Order allow,deny
Allow from all
</Directory>
###### / Worm Catch ######

The script Nimda-Worm.pl could be only this:
---
#!/usr/bin/perl

print "content-type: text/html\n\n";
print "Sorry!\n";
---

Whith this first step, you stop the worm loggin as "File does not exist" in
your error log.

Note: you don't need necesarily a Perl script. I use one because I add more
code to count the hits on a file (like a visitors counter).

2. Don't log the requests together on the main file, but on an specific file
(only for Worm requests):

# Mark requests for the .exe .dll or .ida files
SetEnvIf Request_URI "^.*\.[exe|dll|ida].*" dontlog
# Worm Logs
CustomLog /YourDirectory/WormCatch/access_log combined env=dontlog
# Normal Logs
CustomLog /YourDirectory/logs/access_log combined env=!dontlog

Then, you can analyze this specific log (or throw it away if you are not
interested in statistics!)

Both steps are done in your httpd.conf file.

Whith this steps, your question about "stop these NIMDA attacks filling
logs", I guess is solved!

Regards,
Tomás

+--                                         --+
       Tomás García Ferrari
       Bigital
       http://bigital.com/
+--                                         --+

References:
- Re: [cobalt-users] NIMDA
  - From: Carrie Bartkowiak

Prev by Date: Re: [cobalt-users] NIMDA
Next by Date: Re: [cobalt-users] RaQ4: Site Usage Stats Missing
Previous by thread: Re: [cobalt-users] NIMDA
Next by thread: Re: [cobalt-users] NIMDA

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index