I am in the process of reading the excellent article written by John Vranesevich (Hacker Profiler), and he mentions in one of the paragraph to check the "Web page access logs". How would you check this? Do you need a special apps? Thanks for the help.
October 17th, 2005, 06:11 PM
Are you asking how to check your own access logs or the access logs of a web site someone else owns i.e over the internet?
Not sure in what context you mean your question.
October 17th, 2005, 06:17 PM
It would also help to know what serverOS and what web server. The default setups will provide a standard location for log files. However, some SAs change that so that logs can be harvested for centralized log analyzers.
October 17th, 2005, 06:47 PM
Thanks guys for replying so quickly. As my handle says it I am a complete Newbie on the subject (Capital N).
This is a portion of the article I am talking about. I gather that it is to check your own website, about the server OS and Web server well I don't have a concrete situation, I was just wondering what are the tools in general (I guess that there are many tools to use).
"Taking A Second Look (Webpage Access Logs And Hacker Behavior)
Once again I'm going to use the example of a "webpage hack". Simply because it's the easiest to visualize, it's something that I think most of our users will be familiar with, and it's an area where I'm less worried about "spilling the beans" (hey, I worked hard on this stuff, I deserve to keep secrets, haha).
Behavior, behavior, behavior. I can't say it enough, and I hope that this simple, common sense example, can show you why.
Let's say that www.AntiOnline.com was hacked (God forbid). All of the system logs were gone, and the webpage was changed with a message from some hacker telling what he really thinks of me (You can all envision what and ugly site that would be, haha). I can't come up with any "leads" using other methods, as the hacker has left no "virtual fingerprints" for me to find on my system, or the systems of any of my uplink providers. Or has he?
How many of you have had to investigate a webpage hack, for some reason or another? How many of you have noticed that many of the system logs, which would have given you valuable insights into the hacker's identity, have been deleted? Ok, now, how many of you still had the webpage access logs from that system? I bet almost all of the hands in the room just went up, huh? It's something almost EVERY EVERY EVERY EVERY hacker leaves behind. Why? What damage could it possibly do to them? Well, a lot more than they may think."
Thanks again for the help, I am just trying to learn more about security in general, I am not following a pattern, there are so many good articles and tutorials on AO that I take them one at the time.
October 17th, 2005, 08:48 PM
There should be more than just system logs and web page logs. You should also have firewall or sniffer (IDS) logs to help nail down the sequence of events.
Depending on your OS, you can set ACL's and processes to preserve system logs in the event that a defacement also attempts to delete the system logs. Of course, nothing is perfect.
October 18th, 2005, 09:47 AM
Thanks rapier57, as you can see this all new to me, and the learning curve is just unbelievable. I start reading about one thing and that open another 12 different topics, I am surrended by print out and my eyes are hurting like hell already. Saying that I enjoy it very much. I also need to go back to basics, my OS is Windows XP (i know not everybody is perfect...), but i need to look at the registry file structure and play around with the OS. I have also a Linux box running Mandrake, but again it is such a jump from Windows. I will get there eventually in 2 or 3 lifetime.
October 18th, 2005, 10:50 AM
Maybe you should look into basic security before trying to dive into forensics (questionable forensics docs at that).
October 18th, 2005, 11:05 AM
Hey Catch, thanks for the reply, by basic security do you mean virus protection, spyware etc. ? I had a look at a little while ago, and setup my PC with protection. Or is there something else I could start learning about? Thanks
October 18th, 2005, 11:20 AM
No... by basic security I mean understanding basic system architecture and access control models.
Viruses and spyware are too abstract... sadly most people just skip all the core knowledge and this leaves them at a great disadvantage. In fact you will find that most people who have really studied computer security don't use things like virus or spyware protection software. (At least not on their own systems... at work however where package control is a little more difficult to maintain they may be used selectively)
Read it, google and ask questions when you have them. Keep asking questions until you can read the whole thing from start to finish and you understand it all. Then you'll be able to ask more intelligent questions about what direction you wish to take.
October 18th, 2005, 01:46 PM
Nice one Catch, I will be back with another zillion questions probably, thanks for the link and help.