Catching worms with Apache

slur

Geek / Hedonist
If your box is connected to the outside world through your web server you may have noticed your access_logs growing really huge lately. This is of course due to the propagation of worms that take advantage of weaknesses in Microsoft's Network Information Server (NIS) to attack webservers throughout the rest of the internet.

Replace the logging in your httpd.conf file for Apache with the following lines:

#
# DEAL WITH CODE RED AND NIMDA!
#
LogFormat "%t %h" wormlog
SetEnvIf Request_URI "^/default\.ida$" codered worm
SetEnvIf Request_URI "/winnt/system32/|root.exe" nimda worm

CustomLog "/private/var/log/httpd/code_red_log" wormlog env=codered
CustomLog "/private/var/log/httpd/nimda_log" wormlog env=nimda
CustomLog "/private/var/log/httpd/access_log" common env=!worm


Restart Apache and it will immediately begin logging hits from Code Red and Nimda. You can actually watch these hits in the terminal as they happen. Just execute one of these commands and leave the terminal open:

tail -f /private/var/log/httpd/code_red_log
or
tail -f /private/var/log/httpd/nimda_log

These logs are in a much shorter format so you'll save a bit of disk space too.
 
Top