[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Viruses and apache

Subject: Re: Viruses and apache
From: James Tolchard <email@hidden>
Date: Fri, 31 Jan 2003 17:29:29 +1300

On 31/1/03, Dafydd Williams (email@hidden) said:

>Our OS X 10.2.3 machine is getting hit by something that reminds me of a
>recent Windows virus. The apache log reveals the following:
>
>***.***.***.*** - - [30/Jan/2003:17:31:26 +1100] "GET
>/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304
>
>(incoming IP starred to prevent embarrasment :) )

I wouldn't have bothered with the stars :)

>This is obviously just going to bounce off us, due to the fact we're
>running
>the wrong OS... or is that the right OS? My query is, can I block these
>IPs
>in some way? If so, how?

As you mentioned, these are harmless to you, but they do tend to fill up the
logs.

There was a recent discussion on how to prevent these entries from overcrowding
the logs. There are tools to automatically ban infected machines from reaching
apache (they are caught by the kernel packet filter before apache sees them,
therefore no request is process and no log entry generated) and there are also
techniques for splitting these entries out of the logs in a batch-like fashion.

Have a look at the list archives. I would direct you to the list FAQ, but ummm,
well, yeah :)

Cheers
James
_______________________________________________
macos-x-server mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/macos-x-server
Do not post admin requests to the list. They will be ignored.

References:
	>Viruses and apache (From: Dafydd Williams <email@hidden>)

Prev by Date: Re: setting host aliases (like /etc/hosts)?
Next by Date: Re: Viruses and apache
Previous by thread: Viruses and apache
Next by thread: Re: Viruses and apache
Index(es):
- Date
- Thread

Home