Koozali.org: home of the SME Server

Legacy Forums => Experienced User Forum => Topic started by: Dubois on February 25, 2002, 05:18:54 AM

Title: Code Red redirect (clears logfiles)
Post by: Dubois on February 25, 2002, 05:18:54 AM

My logs are full of code red hits.  literally hundreds if not thousands of entries.  

I ventured upon this page, and adapted what I read to my .htaccess file (courtesy of thor anthrax howto)

http://www.addme.com/issue222.htm for reference info


I basically added this fragment to 90e-smithAccess10primary




    redirect /home/e-smith/files/primary/html/scripts http://www.stoptheviruscold.invalid
    redirect /home/e-smith/files/primary/html/MSADC http://www.stoptheviruscold.invalid
    redirect /home/e-smith/files/primary/html/c http://www.stoptheviruscold.invalid
    redirect /home/e-smith/files/primary/html/d http://www.stoptheviruscold.invalid
    redirect /home/e-smith/files/primary/html/_mem_bin http://stoptheviruscold.invalid
    redirect /home/e-smith/files/primary/html/msadc http://stoptheviruscold.invalid
    RedirectMatch (.*)\cmd.exe$ http://stoptheviruscold.invalid$1

blah blah blah...


this has at least cleared all of the invalid entries in my http error log.

Title: Re: Code Red redirect (clears logfiles)
Post by: Chris on February 25, 2002, 08:21:26 AM

There would be a lot of use to some of the not so clever linux people like me out there. Why dont you make it into a Mini How To and submit it?

I know that i would love it as my log file is huge with hits from the redworm.

But thanks at least for posting what you have found.

Chris

Title: Re: Code Red redirect (clears logfiles)
Post by: hanscees on February 26, 2002, 03:22:41 PM

some explanation of this:

> I basically added this fragment to 90e-smithAccess10primary
>

at
 /etc/e-smith/templates/etc/httpd/conf/httpd.conf/90e-smithAccess10primary
in my system. This is a template file e-smith uses to built the apache (webserver) configuration file (ie httpd.conf). The things pasted below alter this template, and thus get into the apache file. You cannot alter the apache file direct

>
>
>
>     redirect /home/e-smith/files/primary/html/scripts
> http://www.stoptheviruscold.invalid
>     redirect /home/e-smith/files/primary/html/MSADC
> http://www.stoptheviruscold.invalid
>     redirect /home/e-smith/files/primary/html/c
> http://www.stoptheviruscold.invalid
>     redirect /home/e-smith/files/primary/html/d
> http://www.stoptheviruscold.invalid
>     redirect /home/e-smith/files/primary/html/_mem_bin
> http://stoptheviruscold.invalid
>     redirect /home/e-smith/files/primary/html/msadc
> http://stoptheviruscold.invalid
>     RedirectMatch (.*)\cmd.exe$
> http://stoptheviruscold.invalid$1
>
> blah blah blah...

what this does is make sure that any nimda request to your server get redirected to  http://www.stoptheviruscold.invalid. This www does not exist, so they get no respons, and you are rid of their bullshit in your logs.
You could also redirect of course to a server that does something with their nimda requests, if you know one.

I only do not understand the part:

>     RedirectMatch (.*)\cmd.exe$
> http://stoptheviruscold.invalid$1

I think it redirects any request with \cmd.exe$ in it to the fake www adddress?

I would also add:
redirect /home/e-smith/files/primary/html/default.ida http://www.stoptheviruscold.invalid

or is that stupid in some way?

. for all your virtual domains you must alter the
/home/e-smith/files/primary/
in where the virtual domain is.

Anybody got comments?