Blocking the Idiot’s Machines

Finally got sick and tired of getting “oversized record” messages from Webalizer each morning from it trying to process Apache logs with lines 3000+ charachers long, mostly consisting of “\x0\x0” characters…. obviously automated zombies trying to exploit IIS vulnerabilities. Learned a bare minimum of iptables to put in a bunch of block rules, and it seems to work. Eventually I’ll have it do more interesting and complex things, but this should work for now. If you suddenly can’t get to this site, let me know. If you want to let the owners of any of the following IP addresses that they’re infested and/or hax0rs, feel free to read more…

4 Comments on “Blocking the Idiot’s Machines”

  1. IIRC the changelog entry for the last debian upload of webalizer mentions a patch that fix this problem.

  2. My hourly webalizer cronjob has been doing that for years, but I’ve been redirecting it’s bitching to /dev/null 🙂
    Is there a nice way of sanitizing the log file? I guess a bunch of grep -v’s will do it.

  3. naked apache # cat arcterex-access.log | grep -v “\x0” arcterex-access.log >
    naked apache # mv
    naked apache # /etc/init.d/apache stop
    * Stopping apache…
    naked apache # mv arcterex-access.log
    naked apache # /etc/init.d/apache start
    * Starting apache…