[svlug] Is this a hack attempt?

Gary Lin glin at employees.org
Sun Oct 27 11:30:35 PST 2002


Yes, I have encountered the same problem.  Although this does not hurts 
Apache much (I felt sorry for the ones who use
IIS without all the proper patches), but it could be quite annonyed to 
see these useless log in your apache server, plus getting probe
like every couple minutes.  According to some user group that I read 
before, you can change your apache setting to let the
virus know that the page is no longer exist so that the virus will not 
probe again:

(With the following settings in httpd.conf)
# Redirect
Redirect gone /scripts
Redirect gone /MSADC
Redirect gone /c
Redirect gone /d
Redirect gone /_mem_bin
Redirect gone /msadc
Redirect gone /default.ida
RedirectMatch gone (.*)\cmd.exe$

Some people suggested to take one step further by specifying the 
Redirect directive in the apache to "redirect" all these requests
to "127.0.0.1" (or localhost).  This will fool the virus to attack 
itself and bring down the infected computer more quickly to
prevent the virus from spreading.

Another thing you might want to do is to tell apache not to log these 
requests so that your log will be much smaller and cleaner.  To do this, 
use the following config:

# Log, to block NIMDA Virus
SetEnvIfNoCase Request_URI "^/scripts/" nolog
SetEnvIfNoCase Request_URI "^/msadc/" nolog
SetEnvIfNoCase Request_URI "^/_vti_bin/" nolog
SetEnvIfNoCase Request_URI "^/_mem_bin/" nolog
SetEnvIfNoCase Request_URI "^/c/winnt/" nolog
SetEnvIfNoCase Request_URI "^/d/winnt/" nolog
SetEnvIfNoCase Request_URI "^/default.ida" nolog
CustomLog logs/access_log combined env=!nolog

Hope this helps!

-- Gary




Justin Ryan wrote:

>>Is this just something that will happen all the time and I never knew
>>it?
>>    
>>
>
>Yes, be glad you are running a superior operating system :)
>
>Er.. make sure apache/mod_ssl/openssl/openssh are patched, btw (which
>should be the case if you're running RH8).. ;p
> 
>  
>
>>I think I would still like to ban these IP addresses from contcting my
>>machine. Is there a way?
>>    
>>
>
>It is possible, but not worthwhile imho..  It isn't a static list, and
>realistically any machine that is attempting to exploit a Windows vuln
>should almost be on a 'safe list', since it isn't capable of (easily)
>attempting to launch attacks that your system _is_ vulnerable to :)
>
>  
>
>>Also, I thought it would be a good idea to notify the ISP of those IP
>>addresses, but I can't figure out who it is?
>>    
>>
>
>rwhois and ARIN are your friends, see previous posts :)
>
>Cheers,
>
>-Justin
>  
>







More information about the svlug mailing list