Server Load/Apache Nimda/codered info....

[shaun]

Depending on which ip block you are on you may get more codered/nimda requests than others. If say you are on the 216.73.*.* block this will probably be very useful to you. 216.73 is a block that has the most infected machines out of the others. Even though apache is not affected by codered/nimda it still does see the requests and it can cause some load on your server. What i've seen so far is that the server's load ends up skyrocketing because it's trying to write so many error's to the error log. Any of you who want to stop this here is the fix.

RedirectMatch ^.*\.(dll|ida).* & dev/null
RedirectMatch ^.*\cmd\.* & dev/null
RedirectMatch ^.*\root\.* & dev/null

add those 3 lines to your /usr/local/apache/conf/httpd.conf and it will stop writing those codered/nimda error's to the error_log. This doesnt stop apache from responding to the requests but it will help with the load. I was thinking about adding this to the cpanel enhancment form thing as somthing for cpanel to auto put in but i'm not sure if nick things it's somthing that needs to be done. Anyway just though i would pass this on to you guys.

 

[rpmws]

Hey!!!!!!!!!!!!!!

*** Thanks **** !!

 

[Daniel]

We get support tickets on this all the time. I just added it to all servers. Thank you!!!

 

[shaun]

remember this doesnt tell apache to not respond to these requests... Just stops it from writting to the error_log.

This will help keep your server from bogging down if hit but a massive code red scan.

 

[awsol]

Hey shaun I just noticed this isn't working anymore. It looks like they changed the \ to / .

66.100.24.173 - - [13/May/2002:09:06:50 -0400] &GET /scripts/root.exe?/c+dir HTTP/1.0& 302 265 &-& &-&
66.100.24.173 - - [13/May/2002:09:06:50 -0400] &GET /MSADC/root.exe?/c+dir HTTP/1.0& 302 265 &-& &-&
66.100.24.173 - - [13/May/2002:09:06:50 -0400] &GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0& 302 265 &-& &-&
66.100.24.173 - - [13/May/2002:09:06:50 -0400] &GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0& 302 265 &-& &-&
66.100.24.173 - - [13/May/2002:09:06:50 -0400] &GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0& 302 265 &-& &-&
66.100.24.173 - - [13/May/2002:09:06:50 -0400] &GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0& 302 265 &-& &-&
66.100.24.173 - - [13/May/2002:09:06:50 -0400] &GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0& 302 265 &-& &-&
66.100.24.173 - - [13/May/2002:09:06:51 -0400] &GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0& 302 265 &-& &-&
66.100.24.173 - - [13/May/2002:09:06:51 -0400] &GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0& 302 265 &-& &-&
66.100.24.173 - - [13/May/2002:09:06:51 -0400] &GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0& 404 12 &-& &-&
66.100.24.173 - - [13/May/2002:09:06:51 -0400] &GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0& 302 265 &-& &-&
66.100.24.173 - - [13/May/2002:09:06:51 -0400] &GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0& 302 265 &-& &-&
66.100.24.173 - - [13/May/2002:09:06:51 -0400] &GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0& 400 12 &-& &-&
66.100.24.173 - - [13/May/2002:09:06:51 -0400] &GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0& 400 12 &-& &-&
66.100.24.173 - - [13/May/2002:09:06:51 -0400] &GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0& 302 265 &-& &-&
66.100.24.173 - - [13/May/2002:09:06:51 -0400] &GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0& 302 265 &-& &-&


Iv'e been using your script for osme time now and they just started coming back in error_log. I was thinking of copying those exact same lines and changing the \'s to /'s but I'm not sure if that will work. For example:

RedirectMatch ^.*/.(dll|ida).* & dev/null
RedirectMatch ^.*/cmd/.* & dev/null
RedirectMatch ^.*/root/.* & dev/null

Please let me know if you think this will stop them. Thanks alot for this excellent piece of code.

 

[awsol]

Also another thing I was thinking of was just blocking &exe& totally. But the thing with that is some cgi scripts and stuff are actually named .exe so I'm not sure if that's a good solution.

 

[shaun]

well from what i got outta this way back was that this just told apache not to write to the error log. I could be wrong. If you put in a extention for exe they should still work just wont be written to error log. I am going to check into this now. i'll put more info on this when i figure it out.

 

[awsol]

Is it working on your servers?

 

[shaun]

ok i just read up on this...

Sorry guys... RedirectMatch actually redirects the client some where. You could actuall use this to redirect say .gif files to .jpeg. or redirect a hole site to a diffrent site. so basically what this is doing is redirecting all nimda requests to /dev/null. So this is basically making apache not respond to the request.

i've been watching my error log and i'm not seeing anything. if you watch the access log you will see these. thats because the server does get the incomming request. those 3 lines are at the very beggining of my httpd.conf.

also those slash's arnt for the url.. They are somthing else.. cant remember the term right now. I beleive it acts like the \ in perl

ex: $var = &name is \&joe blah&\&;

 

[awsol]

Yes you're correct they are those are like in perl. Well I guess we are back to square one. I wonder if there's a way to not make them go to error_log . I'm tempted to change dev/null to fbi.gov and see what happens :p . Well shaun lets see if we can dig up a fix for exactly what we thought this was for. I'm sure people want this.

 

[bert]

I got this info from a mailing list:

Add this to the &Logging Directives& part of your httpd.conf:


#
# (RWM) These are here to block Nimda/CodeRed hits from being logged.
#
SetEnvIfNoCase Request_URI &^/scripts/& nolog
SetEnvIfNoCase Request_URI &^/msadc/& nolog
SetEnvIfNoCase Request_URI &^/_vti_bin/& nolog
SetEnvIfNoCase Request_URI &^/_mem_bin/& nolog
SetEnvIfNoCase Request_URI &^/c/winnt/& nolog
SetEnvIfNoCase Request_URI &^/d/winnt/& nolog
SetEnvIfNoCase Request_URI &^/default.ida& nolog
Redirect gone /scripts/
Redirect gone /msadc/
Redirect gone /_vti_bin/
Redirect gone /_mem_bin/
Redirect gone /c/winnt/
Redirect gone /d/winnt/
Redirect gone /default.ida


The Redirects will filter the error_logs. The SetEnv ones set an
environment variable &nolog& when it matches. So now, in your virtual
hosts, you have to replace:


TransferLog /home/httpd/www.linuxsecurity.com-80/logs/access_log


with:
# TransferLog /home/httpd/www.linuxsecurity.com-80/logs/access_log
CustomLog /home/httpd/www.linuxsecurity.com-80/logs/access_log combined env=!nolog


This says &don't log anything with the nolog environment variable set.&


Restart Apache and you're golden.



The problem with the solution above is that it requires you to modify each and every virtual host, if you have 5 servers with 300 or more virtual hosts each, this is definetely a pain :p

 

[shaun]

awsol,

Ya i've been looking for a way to filter these out. the fix i listed above does a hell of a job here. But we are also filtering the inbound traffic too with policys. The filtering on the inbound traffic will only filter the actuall file codered/nimda sends but the stuff above makes apache not respond to it. I remember i came across a module for apache that would filter out codered/nimda but i couldnt get it to run right... That was some time ago. I will see if i can find the site.

 

[bdraco]

Note: Frontpage actually uses _vti_bin so you might want to avoid anything that filters that out

 

[carperman]

still a little confuses with this?

what is solution so far?

 

[shaun]

Current Solution is:

RedirectMatch ^.*\.(dll|ida).* & dev/null
RedirectMatch ^.*\cmd\.* & dev/null
RedirectMatch ^.*\root\.* & dev/null


Or if you want to have some phun....

RedirectMatch ^.*\.(dll|ida).* http://www.microsoft.com
RedirectMatch ^.*\cmd\.* http://www.microsoft.com
RedirectMatch ^.*\root\.* http://www.microsoft.com

:p :p :p :p

 

[carperman]

cheers, where in httpd.conf?

at top or specific place?

 

[shaun]

i just thru mine at the top.