Re: [SLUG] worm log entries

• Next message: Bill: "Re: [SLUG] Fwd: [MDLUG] OT: Another just in..."
• Previous message: Grantham, Patrick: "RE: [SLUG] worm log entries"
• In reply to: Derek Glidden: "Re: [SLUG] worm log entries"
• Next in thread: Matt Miller: "Re: [SLUG] worm log entries"
• Reply: Matt Miller: "Re: [SLUG] worm log entries"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Where would be the best, first place to start to read about,
, "Use apache's rewrite engine to block those accesses entirely." to learn
all the particulars?

----- Original Message -----
From: "Derek Glidden" <dglidden@illusionary.com>
To: <slug@nks.net>
Sent: Thursday, January 17, 2002 12:42 PM
Subject: Re: [SLUG] worm log entries

> On Wed, 2002-01-16 at 17:48, Patrick Grantham wrote:
> > How can I configure Apache to stop logging these entries?
> > 66.126.9.103 - - [02/Jan/2002:14:38:01 -0500] "GET
/scripts/root.exe?/c+dir
> > HTTP/1.0" 404 300
>
> [etc]
>
> The simple, but incomplete answer is, "Use apache's rewrite engine to
> block those accesses entirely." I thought I had a server that had a
> bunch of those rewrite rules in place to block stuff like CodeRed and
> Nimda, but now I can't figure out where it is, so I can't post the
> relevant sections. It's pretty straightforward though.
>
> > In one week the web log file on this machine grew to 3MB in one week,
from
> > this alone. It just began serving. I know what they are. I can post
> > process the log file to discard them, but how can I configure apache to
sto
> > logging them?
>
> Heh... a whole 3MB? *snigger* (thinking about our big production web
> servers that have racked up 1.5GB of logfiles in a week worth of worm
> activity...)
>
> --
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> #!/usr/bin/perl -w
> $_='while(read+STDIN,$_,2048){$a=29;$b=73;$c=142;$t=255;@t=map
> {$_%16or$t^=$c^=($m=(11,10,116,100,11,122,20,100)[$_/16%8])&110;
> $t^=(72,@z=(64,72,$a^=12*($_%16-2?0:$m&17)),$b^=$_%64?12:0,@z)
> [$_%8]}(16..271);if((@a=unx"C*",$_)[20]&48){$h=5;$_=unxb24,join
> "",@b=map{xB8,unxb8,chr($_^$a[--$h+84])}@ARGV;s/...$/1$&/;$d=
> unxV,xb25,$_;$e=256|(ord$b[4])<<9|ord$b[3];$d=$d>>8^($f=$t&($d
> >>12^$d>>4^$d^$d/8))<<17,$e=$e>>8^($t&($g=($q=$e>>14&7^$e)^$q*
> 8^$q<<6))<<9,$_=$t[$_]^(($h>>=8)+=$f+(~$g&$t))for@a[128..$#a]}
> print+x"C*",@a}';s/x/pack+/g;eval
>
> usage: qrpff 153 2 8 105 225 < /mnt/dvd/VOB_FILENAME \
> | extract_mpeg2 | mpeg2dec -
>
> http://www.cs.cmu.edu/~dst/DeCSS/Gallery/
> http://www.eff.org/ http://www.anti-dmca.org/

• Next message: Bill: "Re: [SLUG] Fwd: [MDLUG] OT: Another just in..."
• Previous message: Grantham, Patrick: "RE: [SLUG] worm log entries"
• In reply to: Derek Glidden: "Re: [SLUG] worm log entries"
• Next in thread: Matt Miller: "Re: [SLUG] worm log entries"
• Reply: Matt Miller: "Re: [SLUG] worm log entries"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 19:10:51 EDT