# apache, code red, annoying logs

## war_pig

i just installed gentoo, and its running great

ty gentoo dev people

and i just fired up apache and already my logs are filling up with cmd.exe crap

i know im not the only one who i extremely annoyed by this, and it makes it hard to make sense of yer logs, for a n00b anyway

can someone show me a script or an iptables rule that will keep code red out of my logs

even some sort of perl script i could use to parse the logs and remove that crap

or awk or something, im just not skilled enuf to write my own

 :Laughing: 

----------

## DarrenM

You can't block it like that afaik. I had a similar problem and found that 99% of the hits were coming from just a couple ip addresses so I just blocked those in iptables.

If you want to read your logs without all the code red messages just use grep to filter it.

----------

## klieber

You need to use mod_rewrite in order to block stuff like code red.  Not sure if that's compiled as part of the Gentoo version of Apache, however.

Search around on the net -- there are a few examples of how to use mod_rewrite to block out code red crap.

--kurt

----------

## war_pig

thanks for the tip klieber

this is what i found, for anybody else whos been wondering how to do:

##############################################

 ##### Remove IIS worm From LOG ###############

 #############################################

 SetEnvIfNoCase Request_URI "^/scripts/"  nolog

SetEnvIfNoCase Request_URI "^/msadc/"    nolog

SetEnvIfNoCase Request_URI "^/MSADC/"    nolog

SetEnvIfNoCase Request_URI "^/_vti_bin/" nolog

SetEnvIfNoCase Request_URI "^/_mem_bin/" nolog

SetEnvIfNoCase Request_URI "^/c/winnt/"  nolog

SetEnvIfNoCase Request_URI "^/d/winnt/"  nolog

SetEnvIfNoCase Request_URI "^/default.ida" nolog

Redirect gone /scripts/

Redirect gone /msadc/

Redirect gone /MSADC/

Redirect gone /_vti_bin/

Redirect gone /_mem_bin/

Redirect gone /c/winnt/

Redirect gone /d/winnt/

Redirect gone /default.ida

CustomLog logs/access_log combined env=!nolog

i personnally dont get it, but default install has the mods loaded and apache restarted with no errors, so we'll see if this works

----------

## rl75

This may look strange...but it works assuming HostnameLookups is off in httpd.conf. Basically it takes the offending IP from the errror_log and null routes it.  You could probably do more with it...like send it to an iptables rule too.  Check it out:

tail -f error_log | grep -i cmd.exe | awk '{print $8}' | awk -F] '{print $1}' | xargs -i route add {} 127.0.0.1 &

----------

## war_pig

thanks for all the respones

the apache modifications did the trick, once i realized the log haad allready been set at the top of the .conf

now, nice clean logs, for the first time since last summer   :Smile: 

----------

