August 16th, 2003, 09:57 AM
I'm attempting to write a script that will search my logfiles for exploit attempts. I know its not a great script... Does anybody have any suggestions on how I should go about it? My server is running linux with apache. Below I do a simple grep command and print the output to a browser. Is there a better command to use? How would you format it and print it out to a browser. Thanks for any suggestions.
$Exploit = " cmd.exe ";
$Exploit = " system32 ";
$Exploit = " scripts ";
$Exploit = " %2f ";
$Exploit = " %5c ";
$Exploit = " formmail.php ";
foreach ( $Exploit as $val )
system( "cd ../../../logs ; grep -n $val error_log ", $return );
August 16th, 2003, 10:09 PM
There is a program that already does this called logcheck:
Read article about it here.
Looks like Cisco aquired Psionic so I am not sure if this had any effect on the program or not...but you should be able to get it from them still (and they make other good products like Port Sentry).
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
August 18th, 2003, 03:58 AM
I've used Port Sentry for years and love it. Question, will portsentry detect a TCP DoS attack on port 80? Its great for port scans and IIS exploit scripts.
Back to my question....
LogCheck works on the same theory as my script does.
Grep -i -f $exploit list ; scans log files for exploits
Grep -v $false_positive ; removes false positives
Then mails the results to the admin.
LogCheck doesn't focus on PHP exploits, which is what I am concerned about. I need something that is more for apache log scanning then syslog. I was thinking about separating the exploit tests into different colors. Like IIS exploits could be green. That way when I get my results and everything would be color coordinated. I would know who is attacking my server, but I would also know what severity it is.