[geeklog-devel] New Santy worm and impact on Geeklog sites

Dirk Haun dirk at haun-online.de
Thu Dec 30 04:00:11 EST 2004

As Tom pointed out in this thread: <http://www.geeklog.net/forum/
viewtopic.php?showtopic=45173>, geeklog.net has been going slow for the
last few days.

A quick peek at the logfile seems to point at that new variant of the
Santy worm as the culprit. Yesterday's logfile has more than twice the
amount of requests than on a normal day.

If you can, do a "tail -f access_log" on your server, sit back and enjoy
the show. It's amazing.

Here's a tip from my web hoster's support forum:

RewriteEngine On 
RewriteCond %{QUERY_STRING} ^(.*)wget\%20 [OR] 
RewriteCond %{QUERY_STRING} ^(.*)echr(.*) [OR] 
RewriteCond %{QUERY_STRING} ^(.*)esystem(.*) [OR] 
RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527 [OR] 
RewriteCond %{HTTP_COOKIE}% s:(.*):\%22test1\%22\%3b 
RewriteRule ^.*$ [L,R=301]

I'm using that on geeklog.net now. We'll see if it helps ...

bye, Dirk


More information about the geeklog-devel mailing list