IIS Attack on Apache httpd

[bobmad]

Hi all,

anyone has already automized the scan of apache logs file?
(my case win32 but...;-)

I'm looking for the best way to do it regularly,(parse logs and output in new ones?)
to "ban" clients connecting to my apache box (under win32) and trying to crack the IIS holes here's a copy of logs:
(these http requests disturbe me and eat unnecessary bandwith)

[Tue Mar 05 16:03:15 2002] [error] [client 80.26.17.128] File does not exist: e:/

http://www/scripts/root.exe

[Tue Mar 05 16:03:20 2002] [error] [client 80.26.17.128] File does not exist: e:/

http://www/msadc/root.exe

[Tue Mar 05 16:03:25 2002] [error] [client 80.26.17.128] File does not exist: e:/

http://www/c/winnt/system32/cmd.exe

[Tue Mar 05 16:03:30 2002] [error] [client 80.26.17.128] File does not exist: e:/

http://www/d/winnt/system32/cmd.exe

[Tue Mar 05 22:39:33 2002] [error] [client 80.26.17.128] File does not exist: e:/

http://www/scripts/root.exe

[Tue Mar 05 22:39:40 2002] [error] [client 80.26.17.128] File does not exist: e:/

http://www/msadc/root.exe

[Tue Mar 05 22:39:45 2002] [error] [client 80.26.17.128] File does not exist: e:/

http://www/c/winnt/system32/cmd.exe

[Tue Mar 05 22:39:49 2002] [error] [client 80.26.17.128] File does not exist: e:/

http://www/d/winnt/system32/cmd.exe

[Tue Mar 05 22:39:54 2002] [error] [client 80.26.17.128] File does not exist: e:/

http://www/scripts/..\/winnt/system32/cmd.exe

in this case, I would like to regularly retreive those IP of "vilain" client then define a rule in my httpd.conf,
to disallow those ip to connect to my box...

I'm thinking about awk to process it...

any help/suggest. on this is welcome...

cheers

Bob

PS: I receive about 15 tries/attack like that per day !!!

 

[vgersh99]

BEGIN {
FS="\]"
}

{
split($3, aa, " &quot
print aa[2]
}

--------------

vlad