The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Server Load/Apache Nimda/codered info....

Discussion in 'EasyApache' started by shaun, May 3, 2002.

  1. shaun

    shaun Well-Known Member

    Joined:
    Nov 9, 2001
    Messages:
    698
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    San Clemente, Ca
    Depending on which ip block you are on you may get more codered/nimda requests than others. If say you are on the 216.73.*.* block this will probably be very useful to you. 216.73 is a block that has the most infected machines out of the others. Even though apache is not affected by codered/nimda it still does see the requests and it can cause some load on your server. What i've seen so far is that the server's load ends up skyrocketing because it's trying to write so many error's to the error log. Any of you who want to stop this here is the fix.

    RedirectMatch ^.*\.(dll|ida).* & dev/null
    RedirectMatch ^.*\cmd\.* & dev/null
    RedirectMatch ^.*\root\.* & dev/null

    add those 3 lines to your /usr/local/apache/conf/httpd.conf and it will stop writing those codered/nimda error's to the error_log. This doesnt stop apache from responding to the requests but it will help with the load. I was thinking about adding this to the cpanel enhancment form thing as somthing for cpanel to auto put in but i'm not sure if nick things it's somthing that needs to be done. Anyway just though i would pass this on to you guys.
     
  2. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    Hey!!!!!!!!!!!!!!

    *** Thanks **** !! :) :) :)
     
  3. Daniel

    Daniel Well-Known Member

    Joined:
    Aug 13, 2001
    Messages:
    165
    Likes Received:
    0
    Trophy Points:
    16
    We get support tickets on this all the time. I just added it to all servers. Thank you!!!
     
  4. shaun

    shaun Well-Known Member

    Joined:
    Nov 9, 2001
    Messages:
    698
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    San Clemente, Ca
    remember this doesnt tell apache to not respond to these requests... Just stops it from writting to the error_log.

    This will help keep your server from bogging down if hit but a massive code red scan.
     
  5. awsol

    awsol cPanel Test Bitch

    Joined:
    Feb 8, 2002
    Messages:
    591
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Boston MA
    Hey shaun I just noticed this isn't working anymore. It looks like they changed the \ to / .

    66.100.24.173 - - [13/May/2002:09:06:50 -0400] &GET /scripts/root.exe?/c+dir HTTP/1.0& 302 265 &-& &-&
    66.100.24.173 - - [13/May/2002:09:06:50 -0400] &GET /MSADC/root.exe?/c+dir HTTP/1.0& 302 265 &-& &-&
    66.100.24.173 - - [13/May/2002:09:06:50 -0400] &GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0& 302 265 &-& &-&
    66.100.24.173 - - [13/May/2002:09:06:50 -0400] &GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0& 302 265 &-& &-&
    66.100.24.173 - - [13/May/2002:09:06:50 -0400] &GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0& 302 265 &-& &-&
    66.100.24.173 - - [13/May/2002:09:06:50 -0400] &GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0& 302 265 &-& &-&
    66.100.24.173 - - [13/May/2002:09:06:50 -0400] &GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0& 302 265 &-& &-&
    66.100.24.173 - - [13/May/2002:09:06:51 -0400] &GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0& 302 265 &-& &-&
    66.100.24.173 - - [13/May/2002:09:06:51 -0400] &GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0& 302 265 &-& &-&
    66.100.24.173 - - [13/May/2002:09:06:51 -0400] &GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0& 404 12 &-& &-&
    66.100.24.173 - - [13/May/2002:09:06:51 -0400] &GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0& 302 265 &-& &-&
    66.100.24.173 - - [13/May/2002:09:06:51 -0400] &GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0& 302 265 &-& &-&
    66.100.24.173 - - [13/May/2002:09:06:51 -0400] &GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0& 400 12 &-& &-&
    66.100.24.173 - - [13/May/2002:09:06:51 -0400] &GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0& 400 12 &-& &-&
    66.100.24.173 - - [13/May/2002:09:06:51 -0400] &GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0& 302 265 &-& &-&
    66.100.24.173 - - [13/May/2002:09:06:51 -0400] &GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0& 302 265 &-& &-&


    Iv'e been using your script for osme time now and they just started coming back in error_log. I was thinking of copying those exact same lines and changing the \'s to /'s but I'm not sure if that will work. For example:

    RedirectMatch ^.*/.(dll|ida).* & dev/null
    RedirectMatch ^.*/cmd/.* & dev/null
    RedirectMatch ^.*/root/.* & dev/null

    Please let me know if you think this will stop them. Thanks alot for this excellent piece of code.
     
  6. awsol

    awsol cPanel Test Bitch

    Joined:
    Feb 8, 2002
    Messages:
    591
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Boston MA
    Also another thing I was thinking of was just blocking &exe& totally. But the thing with that is some cgi scripts and stuff are actually named .exe so I'm not sure if that's a good solution.
     
  7. shaun

    shaun Well-Known Member

    Joined:
    Nov 9, 2001
    Messages:
    698
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    San Clemente, Ca
    well from what i got outta this way back was that this just told apache not to write to the error log. I could be wrong. If you put in a extention for exe they should still work just wont be written to error log. I am going to check into this now. i'll put more info on this when i figure it out.
     
  8. awsol

    awsol cPanel Test Bitch

    Joined:
    Feb 8, 2002
    Messages:
    591
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Boston MA
    Is it working on your servers?
     
  9. shaun

    shaun Well-Known Member

    Joined:
    Nov 9, 2001
    Messages:
    698
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    San Clemente, Ca
    ok i just read up on this...

    Sorry guys... RedirectMatch actually redirects the client some where. You could actuall use this to redirect say .gif files to .jpeg. or redirect a hole site to a diffrent site. so basically what this is doing is redirecting all nimda requests to /dev/null. So this is basically making apache not respond to the request.

    i've been watching my error log and i'm not seeing anything. if you watch the access log you will see these. thats because the server does get the incomming request. those 3 lines are at the very beggining of my httpd.conf.

    also those slash's arnt for the url.. They are somthing else.. cant remember the term right now. I beleive it acts like the \ in perl

    ex: $var = &name is \&joe blah&\&;
     
  10. awsol

    awsol cPanel Test Bitch

    Joined:
    Feb 8, 2002
    Messages:
    591
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Boston MA
    Yes you're correct they are those are like in perl. Well I guess we are back to square one. I wonder if there's a way to not make them go to error_log . I'm tempted to change dev/null to fbi.gov and see what happens :p . Well shaun lets see if we can dig up a fix for exactly what we thought this was for. I'm sure people want this.
     
  11. bert

    bert Well-Known Member

    Joined:
    Aug 21, 2001
    Messages:
    602
    Likes Received:
    0
    Trophy Points:
    16
    I got this info from a mailing list:

    Add this to the &Logging Directives& part of your httpd.conf:


    #
    # (RWM) These are here to block Nimda/CodeRed hits from being logged.
    #
    SetEnvIfNoCase Request_URI &^/scripts/& nolog
    SetEnvIfNoCase Request_URI &^/msadc/& nolog
    SetEnvIfNoCase Request_URI &^/_vti_bin/& nolog
    SetEnvIfNoCase Request_URI &^/_mem_bin/& nolog
    SetEnvIfNoCase Request_URI &^/c/winnt/& nolog
    SetEnvIfNoCase Request_URI &^/d/winnt/& nolog
    SetEnvIfNoCase Request_URI &^/default.ida& nolog
    Redirect gone /scripts/
    Redirect gone /msadc/
    Redirect gone /_vti_bin/
    Redirect gone /_mem_bin/
    Redirect gone /c/winnt/
    Redirect gone /d/winnt/
    Redirect gone /default.ida


    The Redirects will filter the error_logs. The SetEnv ones set an
    environment variable &nolog& when it matches. So now, in your virtual
    hosts, you have to replace:


    TransferLog /home/httpd/www.linuxsecurity.com-80/logs/access_log


    with:
    # TransferLog /home/httpd/www.linuxsecurity.com-80/logs/access_log
    CustomLog /home/httpd/www.linuxsecurity.com-80/logs/access_log combined env=!nolog


    This says &don't log anything with the nolog environment variable set.&


    Restart Apache and you're golden.



    The problem with the solution above is that it requires you to modify each and every virtual host, if you have 5 servers with 300 or more virtual hosts each, this is definetely a pain :p
     
  12. shaun

    shaun Well-Known Member

    Joined:
    Nov 9, 2001
    Messages:
    698
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    San Clemente, Ca
    awsol,

    Ya i've been looking for a way to filter these out. the fix i listed above does a hell of a job here. But we are also filtering the inbound traffic too with policys. The filtering on the inbound traffic will only filter the actuall file codered/nimda sends but the stuff above makes apache not respond to it. I remember i came across a module for apache that would filter out codered/nimda but i couldnt get it to run right... That was some time ago. I will see if i can find the site.
     
  13. bdraco

    bdraco Guest

    Note: Frontpage actually uses _vti_bin so you might want to avoid anything that filters that out
     
  14. carperman

    carperman Well-Known Member

    Joined:
    Feb 7, 2002
    Messages:
    150
    Likes Received:
    0
    Trophy Points:
    16
    still a little confuses with this?

    what is solution so far?
     
  15. shaun

    shaun Well-Known Member

    Joined:
    Nov 9, 2001
    Messages:
    698
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    San Clemente, Ca
    Current Solution is:

    RedirectMatch ^.*\.(dll|ida).* & dev/null
    RedirectMatch ^.*\cmd\.* & dev/null
    RedirectMatch ^.*\root\.* & dev/null


    Or if you want to have some phun....

    RedirectMatch ^.*\.(dll|ida).* http://www.microsoft.com
    RedirectMatch ^.*\cmd\.* http://www.microsoft.com
    RedirectMatch ^.*\root\.* http://www.microsoft.com

    :p :p :p :p
     
  16. carperman

    carperman Well-Known Member

    Joined:
    Feb 7, 2002
    Messages:
    150
    Likes Received:
    0
    Trophy Points:
    16
    cheers, where in httpd.conf?

    at top or specific place?
     
  17. shaun

    shaun Well-Known Member

    Joined:
    Nov 9, 2001
    Messages:
    698
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    San Clemente, Ca
    i just thru mine at the top.
     
Loading...

Share This Page