Re: forensic Apache log analysis

Georgios Magklaras <georgios@xxxxxxxxxxxxx> · Wed, 27 Jul 2011 11:33:31 +0200

On 07/27/2011 08:24 AM, ESGLinux wrote:

Hi All,

I have a problem with a RHEL server and I want to ask you for some advice.
I´m not a security expert so I don´t know which can be the best aproach to
solve my problem.

The problem is that I have several GigaBytes of Apache logs and I need to
look for attacks on it to check if the server has been compromised.

I can manually check some possible attack urls and looking for them on the
logs, but I´m sure there must be tools or technics to do these in the
correct way.

So, any idea that can help me?

Thank you very much in advance,

ESG

The tools the others suggested are fine, however, normally, the culprit 

with this approach is that you should not rely on the application logs 

(experience often shows that logs that stay on the suspected compromised 

system) might be tampered/compromised. This is contrary to the idea of 

forensics, where you should have at a minimum something off the client 

system to ensure some level of confidence in a post mortem examination.

In the future, please do take a look at LUARM: 

http://luarm.sourceforge.net/ .

Make sure you get the latest version of it from svn by doing a:

svn co https://luarm.svn.sourceforge.net/svnroot/luarm luarm

and then follow the README for setup instructions. A case where I used 

LUARM to detect a botnet compromised LAMP

is here:

http://epistolatory.blogspot.com/2011/02/catching-undesired-guest-in-penguin-tmp.html

Please do feel free to pass feedback.

GM

--
--
George Magklaras PhD
RHCE no: 805008309135525

Senior Systems Engineer/IT Manager
Biotek Center, University of Oslo
EMBnet TMPC Chair

http://folk.uio.no/georgios

Tel: +47 22840535

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list