Log analyzer

Printable View

May 11th, 2009, 12:10 PM
demonize

Log analyzer

Hello,

I am looking for log analyzer that i can use to narrow down errors, sql injection and XSS(any from of attacks).

Thx in advance
May 11th, 2009, 02:40 PM
morganlefay

demonize....you will probably get way more responses if you give us more info....like where these logs are??

Operating system, router, etc

I know that somepeople have all logs copied to a specific machine to then analyze??

How big are these logs???

MLF
May 11th, 2009, 04:35 PM
demonize

the log file size is 22.9 mb
Part of the log:

Code:

+and+1=convert(nvarchar,CHAR(+127+))%2B(select+@@servername) +having+1=1-- id0=0%20/*!39999%20and%201=2*/--%20and%201=1 HTTP/1.1" 200 12371 "-" "pangolin/0.1" id0=0%20and%20(select%20length(database())%20%20)%3C=32%20and%201=1 HTTP/1.1" 200 id0=0%20and%20(select%20length(database())%20%20)%3E16%20and%201=1 HTTP/1.1" 200 id0=0%20and%20(select%20length(database())%20%20)%3E24%20and%201=1 HTTP/1.1" 200 id0=0%20and%20(select%20length(database())%20%20)%3E28%20and%201=1 HTTP/1.1" 200 id0=0%20and%20(select%20length(database())%20%20)%3E30%20and%201=1 HTTP/1.1" 200 id0=0%20and%20(select%20length(database())%20%20)%3E31%20and%201=1 HTTP/1.1" 200 id0=0%20and%20(select%20ascii(substr(database(),1,1))%20%20)%3C=256%20and%201=1 HTTP/1.1" id0=0%20and%20(select%20ascii(substr(database(),1,1))%20%20)%3E128%20and%201=1 HTTP/1.1" 200 id0=0%20and%20(select%20ascii(substr(database(),1,1))%20%20)%3E192%20and%201=1 HTTP/1.1" 200 id0=0%20and%20(select%20ascii(substr(database(),1,1))%20%20)%3E224%20and%201=1 HTTP/1.1" 200 id0=0%20and%20(select%20ascii(substr(database(),1,1))%20%20)%3E240%20and%201=1 HTTP/1.1" 200 id0=0%20and%20(select%20ascii(substr(database(),1,1))%20%20)%3E248%20and%201=1 HTTP/1.1" 200 id0=0%20and%20(select%20ascii(substr(database(),1,1))%20%20)%3E252%20and%201=1 HTTP/1.1" 200 id0=0%20and%20(select%20ascii(substr(database(),1,1))%20%20)%3E254%20and%201=1 HTTP/1.1" 200 id0=0%20and%20(select%20ascii(substr(database(),1,1))%20%20)%3E255%20and%201=1 HTTP/1.1" 200
May 11th, 2009, 06:10 PM
morganlefay

The tool you use will depend on the APPLICATION that is logging the events....

there are ISA, SQL, Exchange, Event, Syslog, IIS, log analyzers

using Google and being a little more specific will really help in your search.

Looks like a bot

http://www.google.com/search?q=pango...e=utf8&oe=utf8

MLF
May 11th, 2009, 07:22 PM
Cheap Scotch Ron

yup. looks like pangolin. sql injection bot. skiddie stuff
May 12th, 2009, 12:08 AM
t34b4g5

Quote:

Originally Posted by Cheap Scotch Ron

sql injection bot. skiddie stuff

It ain't a sql bot, it's a browser based bot

http://www.botsvsbrowsers.com/details/144772/index.html

Test drive it here:
http://www.botsvsbrowsers.com/Simula...ngolin%2F0%2E1

Check your directory's and make sure everything is how it is supposed to be, also re-check your chmod permission settings.
May 12th, 2009, 02:54 AM
Cheap Scotch Ron

Quote:

It ain't a sql bot, it's a browser based bot

WTF?

pangolin is a pen program u initiate from a GUI that runs a bunch of automated dynamic sql that attempt a sql injection hack on a variety of websites. You tell it which DBMS and point it to a bunch of websites and it attempts to compromise the dbms.

Early versions (as referenced above) also contained a backdoor that sent the logs home to China.

http://www.nosec.org/en/pangolin.html

if walks and smells like a duck, it's a duck.

Call it what you like. :flash:

Scotty, beam me up...
May 12th, 2009, 04:20 AM
t34b4g5

Correct..

Thanks for the correction CSR

The "tool" that i was thinking off is something completly different. (:brickwall )

also thanks for the little tidbit of info. :thumbsup:

Quote:

Originally Posted by Cheap Scotch Ron

if walks and smells like a duck, it's a duck.

Call it what you like. :flash:

Scotty, beam me up...

:2pick: