Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Selective logging with Apache (or, hiding Code Red and Nimda) Internet

Code Red and Nimda requests are annoying at best, and can complicate log processing. One option of dealing with these requests is to have Apache log the requests to a separate log file, which can be processed as needed. Additional uses for separate log files are explored.

The httpd.conf file will need to be manually edited to add the following features. For more information on the configuration outlined below, consult the Apache manual.

[robg adds: A previous hint includes a shell script to block Nimda and Code Red requests at the firewall level; this hint explains how to use Apache's custom logging features to log these activities in a separate log file without actually blocking the requests.]

Logging Nimda and Code Red queries...

  1. Pick what to block.
  2. The goal here is to associate a tag with particular requests, so Apache can subsequently do something special with logs with or without the tag in question. This should be done just before any CustomLog entries.

      SetEnvIfNoCase Request_URI "/cmd\.exe" msjunk
      SetEnvIfNoCase Request_URI "/Admin\.dll" msjunk
      SetEnvIfNoCase Request_URI "/root\.exe" msjunk
      SetEnvIfNoCase Request_URI "/httpodbc\.dll" msjunk
      SetEnvIfNoCase Request_URI "/owssvr\.dll" msjunk
      SetEnvIfNoCase Request_URI "/default\.ida" msjunk
    

    The above SetEnvIfNoCase entries will create a msjunk environment setting inside Apache for requests that match the specified pattern. Case insensitive matching is used so both CMD.EXE and cmd.exe trigger a match. Certain characters (like .) are special, and have been escaped with a backslash to prevent potential (but rare) false positives.

  3. Log the msjunk
  4. Create a new CustomLog statement after the new SetEnvIfNoCase entries to direct any logs with the msjunk setting to a different log file. Note the use of the env=msjunk limitation.

      CustomLog "/private/var/log/httpd/msjunk_log" env=msjunk
    

    If nothing will be done with the requests, the logs can instead be thrown out.

      CustomLog "/dev/null" env=msjunk
    
  5. Update regular logging
  6. At this point, msjunk logs are going to both the new CustomLog entry, as well as the regular logfile. Any existing CustomLog entries will need to be updated to not log requests with the msjunk tag.

      CustomLog "/private/var/log/httpd/access_log" common env=!msjunk
    
  7. Testing
  8. Save httpd.conf, restart apache, and try both a good request and one containing a pattern to ensure logging is setup properly.

    $ curl http://www.example.org/ >/dev/null
      % Total    % Received % Xferd  Average Speed          Time             Curr.
                                     Dload  Upload Total    Current  Left    Speed
    100  4255  100  4255    0     0   7975      0  0:00:00  0:00:00  0:00:00  1618
    $ curl http://www.example.org/cmd.exe >/dev/null
      % Total    % Received % Xferd  Average Speed          Time             Curr.
                                     Dload  Upload Total    Current  Left    Speed
    100  1069    0  1069    0     0   3397      0 --:--:--  0:00:00 --:--:--     0
    
  9. Extra Work
  10. The new msjunk_log file may need to be rotated to prevent it from growing too large. This is outside the scope of this document.

Other interesting things can be done with the SetEnvIf parameter, such as logging requests from local testing systems to an alternate logfile. This can be done using the Remote_Host or Remote_Addr parameter instead of the Request_URI, and requires additional environment tags and updated CustomLog rules.

    •    
  • Currently 3.20 / 5
  You rated: 4 / 5 (5 votes cast)
 
[11,775 views]  

Selective logging with Apache (or, hiding Code Red and Nimda) | 8 comments | Create New Account
Click here to return to the 'Selective logging with Apache (or, hiding Code Red and Nimda)' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Selective logging with Apache (or, hiding Code Red and Nimda)
Authored by: mrgerbek on Mar 19, '03 11:54:22AM

Thanks, I've been wanting to get rid of that crap. At first I was tempted to redirect it to M$'s website, but was told that was about the most foolish thing I could do.

Since then I've simply used grep -v to remove all the /scripts/ and cmd.exe lines. This will work much better.

---
~~~~~~~~~~
Be Green



[ Reply to This | # ]
Denying access
Authored by: juanfc on Mar 19, '03 12:01:20PM
I deny-ed the access to the ips who ask my server for NNNNNNN, robots, etc... including in the http.conf the order deny from 1.2.3.4 4.3.2.1 ...... but the log reflects that that not works. How should I deny the access to those stupid requests that only waste the time of my near local apache server? I collect hundreds of IPs that asks for "bad" things in my server. I suppose the deny from is not the correct way of doing this things.

---
---
juan

[ Reply to This | # ]

Denying access
Authored by: mcroft on Mar 19, '03 02:46:41PM
Use Little Dutch Moose from Wundermoosen Software. It watches port 80 for requests that match patterns you set and if it finds them, it puts them in ipfw's rules. It expires them after 90 days, so you don't get a stale list.

It lets you add your own paterns, so if you get tired of assholes looking for to abuse formmail.pl on your sever, autoban them.

[ Reply to This | # ]
Selective logging with Apache (or, hiding Code Red and Nimda)
Authored by: shmert on Mar 19, '03 12:19:05PM

Very useful hint. I've also redirected requests from my local machine to a different log, so now my apache log only has "interesting" hits in it. Here's the apache config page for setenvif module:

http://httpd.apache.org/docs/mod/mod_setenvif.html



[ Reply to This | # ]
Selective logging with Apache (or, hiding Code Red and Nimda)
Authored by: sebastienb on Mar 19, '03 03:59:15PM

Or just redirect to http://127.0.0.1 for those requested files to have it not show up in the error logs<p>



[ Reply to This | # ]
Selective logging with Apache (or, hiding Code Red and Nimda)
Authored by: stevec on Mar 19, '03 04:17:59PM

This Code Red/Nimda thing annoyed me a great deal as well but this tip just effects the logging of the attacks. While this is good, in and of itself, it does not address the main issue of blocking the attempts in the first place.

The firewall solutions are nice but I prefer the Creamy GUI Goodness method. I.E. The oddly named Little Dutch Moose. It installs as a control panel (whoops, "Preference Pane") and will automatically detect and then deny access to IP addresses that do these kind of attacks (among other things).

It's been running on my web server for a couple of months now with nary a problem. I have no connection with Wondermoosen software but can recommend this product heartily.



[ Reply to This | # ]
Selective logging with Apache (or, hiding Code Red and Nimda)
Authored by: bluehz on Apr 07, '04 02:01:58AM

This doesn't seem to work for me unless I change the line:

CustomLog "/dev/null" env=msjunk

to

CustomLog "/dev/null" combined env=msjunk

without the "combined" added - all that ever goes into the log is "msjunk"



[ Reply to This | # ]
Selective logging with Apache (or, hiding Code Red and Nimda)
Authored by: derekhed on May 12, '04 03:37:08PM
What would you add to filter out the Phatbot entries?

[ Reply to This | # ]