Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
User Journal

Journal Journal: How I'm keeping my logs clean from annoying IIS worm queries

Journal by valmont

Global Note: I think the worm hits web servers by their ip addresses so chances are it wouldn't hit any of your VirtualHost configurations and so your global/default settings in httpd.conf would be hit, and that's where you should probably make the following changes.

Also note that the following instructions may be considered LESS THAN IDEAL for servers under heavy loads/traffic, due to string comparison on each request's URI, by stuff like SetEnvIf and <LocationMatch>. /etc/httpd/conf/httpd.conf is the file i modified.

1) i have the mod_perl module enabled.

2) add a LogFormat that only logs basic shit, call it "assholes". I think im still logging too much crap, you may wanna just log the host's ip/name:

LogFormat "%t %h %{Host}i %U" assholes

3) use SetEnvIf on URI to detect worm request:

SetEnvIf Request_URI (cmd\.exe|root\.exe|efault.ida) virus

#note: u could add Admin.dll to the list, but its rarely requested so i don't mind keeping that in my main log. check out: http://httpd.apache.org/docs/mod/mod_log_config.html#customlog and http://httpd.apache.org/docs/mod/mod_setenvif.html#setenvif

4) Make CustomLog entries based on above condition:

#if its a virus request:
CustomLog /home/chris/public_html/logs/ass_log assholes env=virus

#if its not a virus request:
CustomLog /home/chris/public_html/logs/access_log combined env=!virus

5) <Location>, <LocationMatch> directives + Virus.pm PerlHandler.

the following <Location> directives should cover all current virus requests and make a perl module called Virus.pm handle the request which basically prevents the request from triggering a 404 or 403 error and log that error into your error_log. this basically keeps your error_log clean. I put the perl module in: /etc/httpd/lib/perl/Virus.pm

and right now my Virus.pm does nothing but return "1;". And that's enough to keep error_log clean. Someone who has perl skills could come up with something cool that adds the infected hosts' ip address to some database with some notion of timestamp for dynamic ip's, coupled with some sort of cron job that invokes some script that periodically emails a list of infected hosts to the admin of the entity that owns the class B of ip addresses or some crap like that.

Here's my code for Virus.pm:

$VERSION = 1.00;

sub handler
{

}
# All modules must return a true value
1;

Here are the <Location> and <LocationMatch> directives:

<LocationMatch "cmd.exe">
          SetHandler perl-script
          PerlHandler Virus
</LocationMatch>

<Location /*/*/root.exe>
        SetHandler perl-script
        PerlHandler Virus
</Location>

<Location /root.exe>
      SetHandler perl-script
      PerlHandler Virus
</Location>

<Location /Default.ida>
      SetHandler perl-script
      PerlHandler Virus
</Location>

<Location /default.ida>
      SetHandler perl-script
      PerlHandler Virus
</Location>

that's pretty much it for me. Suggestions? Anyone care to submit code for a Virus.pm that does something cool?

Slashdot Top Deals

I have hardly ever known a mathematician who was capable of reasoning. -- Plato

Close