Gossamer Forum: General: Internet Technologies: Linux RedHat: Nimba virus & nsiislog.dll

Sep 21, 2003, 9:26 PM

Stealth

Veteran (17240 posts)

Sep 21, 2003, 9:26 PM

Post #1 of 6

Shortcut

Linux RedHat: Nimba virus & nsiislog.dll

Hello all,

I've notice a bunch of entries in one of the website's access logs that I maintain:

Code:
39.18.130 - - [20/Sep/2003:00:15:32 -0400] "GET /scripts/nsiislog.dll" 404 7958 "-" "-" 
42.72.248 - - [20/Sep/2003:07:25:29 -0400] "GET /scripts/nsiislog.dll" 404 7958 "-" "-" 
58.109.249 - - [20/Sep/2003:17:38:09 -0400] "GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 7958 "-" "-" 
149.96.228 - - [20/Sep/2003:23:02:53 -0400] "GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 7958 "-" "-" 
17.189.23 - - [21/Sep/2003:07:22:22 -0400] "GET /scripts/nsiislog.dll" 404 7958 "-" "-" 
180.96.11 - - [21/Sep/2003:12:47:43 -0400] "GET /scripts/nsiislog.dll HTTP/1.0" 404 7958 "-" "-"

I know that the cmd.exe entry is Nimba related and that both of these cmd.exe and nsisslog.dll only adversely affect IIS web servers.

Although I am a bit concerned to see these entries. Is there any need for concern since the website is hosted in a Linux RedHat server?
========================================
Buh Bye!

Cheers,
Me

Last edited by:

Stealth: Sep 21, 2003, 9:27 PM

Sep 21, 2003, 9:35 PM

brewt

Staff (4101 posts)

Sep 21, 2003, 9:35 PM

Post #2 of 6

Shortcut

Re: [Stealth] Linux RedHat: Nimba virus & nsiislog.dll In reply to

Nope, just ignore them.

Adrian

Sep 21, 2003, 11:55 PM

Stealth

Veteran (17240 posts)

Sep 21, 2003, 11:55 PM

Post #3 of 6

Shortcut

Re: [brewt] Linux RedHat: Nimba virus & nsiislog.dll In reply to

Thanks, Adrian, for the confirmation.

My hosting company essentially said the same thing, although it is annoying seeing all those entries.
========================================
Buh Bye!

Cheers,
Me

Sep 22, 2003, 2:32 AM

Andy

Veteran / Moderator (18441 posts)

Sep 22, 2003, 2:32 AM

Post #4 of 6

Shortcut

Re: [Stealth] Linux RedHat: Nimba virus & nsiislog.dll In reply to

When I was hosted on ImageLinkUSA.net, my whole error log was made up of these. Ended up moving hosts, just cos the error logs also took up my disk space, and I kept getting 'no space' errors! Totalled about 500Mb in logs if I recall correctly Frown

Cheers

Andy (mod)
andy@ultranerds.co.uk

Sep 22, 2003, 11:01 AM

brewt

Staff (4101 posts)

Sep 22, 2003, 11:01 AM

Post #5 of 6

Shortcut

Re: [Stealth] Linux RedHat: Nimba virus & nsiislog.dll In reply to

If you really don't want those entries to be in your regular domain's log and you're using name based virtual hosting with apache, you can do something to separate them into another log. The thing with these IIS exploits is that they don't use a hostname when they connect, so if you have direct control over your apache conf, you can create a dummy domain that will be shown when your server is accessed by IP.

Before all your other name based virtual domains are defined, have something like:

Code:
<VirtualHost *> 
    ServerName null.domain.com 
    ServerAdmin webmaster@null.domain.com 
    DocumentRoot /home/httpd/null.domain.com 
    ErrorLog logs/null.domain.com-error_log 
    CustomLog logs/null.domain.com-access_log combined 
</VirtualHost>

To be 'safe', you can also redirect '/' to your mostly used domain.

Of course this doesn't work if you're using IP based virtual hosts.

Adrian

Sep 22, 2003, 12:06 PM

Alex

Administrator (9387 posts)

Sep 22, 2003, 12:06 PM

Post #6 of 6

Shortcut

Re: [brewt] Linux RedHat: Nimba virus & nsiislog.dll In reply to

Another way if they don't pass in a host header is to replace your CustomLog directive with:

SetEnvIf Host . hashost
CustomLog /path/to/your/logfile combined env=hashost

This will only log requests that have a Host header. If you still want the other logs, only separated, you could do:

SetEnvIf Host . hashost
CustomLog /path/to/your/logfile combined env=hashost
CustomLog /path/to/your/nohostheaderlog combined env=!hashost

Cheers,

Alex
--
Gossamer Threads Inc.