Tracking down malicious activity in Web server log files is rather easy, if you have configured your web server correctly. Meaning that you have configured your web server to audit web server traffic, such as ip address, date, kind of http request and what page your webserver have served etc. If you have any experience in setting up an apache server, you should have seen appropriate logs your /var directory. The directory for the logs differs from OS and distributions of course.
What to look for?
Suspicious entries to be found examples.
' Single Ticks is used in SQL injection attacks.
../ Directory Traversal. Different Encodings.
..
/etc/passwd
/etc/shadow is nothing you want to see a 200 request on. 200 means successfull GET request.
All kinds of shell paths.
/bin/ksh
/bin/bash
/bin/id
/bin/cat
On Windows
msadc/.%c0%af
scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir
cmd.exe
net.exe
netstat.exe
| pipes, semicolons
<
;
ASCII control characters
%00
%0d
%7f
%ff
Lot's of 404 or 500 responses from your webserver might indicate a vulnerability
scan of your server.
Buffer Overflow Attempts. Anti-IDS method
Repeated Characters,
CCC...CCCCC
From here you can use grep, perl, python or shell scripts to process the information in your logs.
Subscribe to:
Post Comments (Atom)
1 comment:
A good free apache server log analysis tool is Apache Logs Viewer http://www.apacheviewer.com
You can filter by IP or status code and also generate some pretty good reports (bar/pie charts). You can also compute some interesting statistics.
Post a Comment