jedaffra
August 6th, 2003, 13:44
Hey guys,

The pixel jockey is back.

I'd like some help understanding apache log files, specifically:

- do I have to tell apache to start logging site visitors or is a log file automatically started when apache starts. If I have to tell apache to start logging, how do I do that?

- where is the log file usually found (I'm running OS X 10.1.5)

- I'd like to create a .gz file out of the sucker so's I can analyze it. How can I do that?

I've been to apache.org (http://httpd.apache.org/docs/logs.html) and read the page on log files but it wasn't the information I'm looking for (at least, I didn't think it was)...

TIA

frisco
August 6th, 2003, 14:18
- do I have to tell apache to start logging site visitors or is a log file automatically started when apache starts. If I have to tell apache to start logging, how do I do that?


This should already be set up in your httpd.conf - the apache configuration file. Look for lines with the word "Log" in it. As long as it is set up in httpd.conf, it will start logging when you start apache.


- where is the log file usually found (I'm running OS X 10.1.5)

Looks like it's in /private/var/log/httpd/access_log, but httpd.conf will tell you for sure.

When i forget or am on a new system, i run 'locate access_log' to find the location.


- I'd like to create a .gz file out of the sucker so's I can analyze it. How can I do that?


Some OS's provide custom log rotation scripts. Apache comes with rotatelogs(8). You could write your own as well.

jedaffra
August 6th, 2003, 15:15
Appreciate your help frisco!

jedaffra
August 6th, 2003, 15:29
Ok, so after locating access_log and thumbing through it, I come across a few entries that look like this:

142.227.38.225 - - [24/May/2003:17:10:59 -0300] "GET
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u
7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%
u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
HTTP/1.0" 404 1772

Anybody have any idea what sort of entry this is? I'm I seeing some sort of buffer overflow attempt here?

Thanks again,

bsdjunkie
August 6th, 2003, 15:41
Attack against IIS web sever.. Most likely Code Red still floating around. Get used to seeing them and like a 100 other types of attacks :roll:

frisco
August 6th, 2003, 15:49
My co-worker uses OSX, and has started using geektool (http://projects.tynsoe.org/en/geektool/) to monitor apache and other logs.

v902
August 6th, 2003, 16:04
http://www.macosxhints.com/article.php?story=20030317133345352

NIMDA, code red, etc. worm hits based on exploiting IIS hits are sadly common, but they can be filtered out.... I have actually gotten phf hits too.... 50 year old exploit scans :)

example:
http://staff.washington.edu/~dittrich/talks/web-security/phf.html

jedaffra
August 6th, 2003, 16:09
Cool,

thanks for the tips junkie et frisco :) Not to drag this out, but there was one other entry of note:

194.244.25.153 - - [16/Oct/2002:20:43:31 -0300] "GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 -

Appears as if someone was looking to find some Winnt component or hack?

bsdjunkie
August 6th, 2003, 16:13
Not 5 minutes after responding I got 4 hits of the .ida here at work... Heres a good explanation from cisco IDS

Description: Microsoft Internet Information Server 5.0 (IIS) includes support for Microsoft's Indexing Service using an ISAPI extension, which handles user requests. A vulnerability was discovered in the implementation of the indexing service which is default on all IIS 5.0 installations.

Due to an unchecked buffer in the ISAPI extension, a maliciously crafted HTTP .ida? request will allow execution of arbitrary code.

This buffer overflow also affects Microsoft IIS 4.0 servers that have the Indexing Service installed. The Indexing Service is commonly installed as part of Option Pack 4 for Windows NT 4.0.

A worm called "Code Red" that exploits this vulnerability is in the wild and has reportedly infected thousands of IIS servers.
Consequence(s): If the buffer overflow were successfully executed the attacker would gain SYSTEM access on the host system. As a result, the attacker could gain remote administrative access.
If the attack was unsuccessful, the server may still suffer a denial of service when the overflow causes CPU utilization to go to 100%.






194.244.25.153 - - [16/Oct/2002:20:43:31 -0300] "GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 -


This is a IIS Decode attack and you will be seeing 100's of variants of these attacks as well.

frisco
August 6th, 2003, 16:31
[code:1:9334b3921f]
"195.199.186.29 server.muveszeti-debrecen.sulinet.hu" - - [06/Aug/2003:15:14:56 -0400] www.blackant.net "GET /scripts/nsiislog.dll" 404 1600 6 "-" "-"
[/code:1:9334b3921f]

I'm thinking of redirecting all *.dll requests to www.microsoft.com.

v902
August 6th, 2003, 16:35
nah, I'd redirect it to localhost and use an IIS exploit against them... ie:

/scripts/..%255c%255c../winnt/system32/cmd.exe?/c+deltree+C:\*.* (not sure if the + in deltree and C:\ is the right thing but it's an example...) :twisted: :twisted: The redirecting to microsoft might be a bad idea anyways... But I gotta try to implement that self attack :twisted:

jedaffra
August 6th, 2003, 16:46
http://www.macosxhints.com/article.php?story=20030317133345352


Nice link vlad. And thanks junkie for the .ida explanation.

the article mentions the possibility of blocking these scans at the firewall level. Any way to do that with OpenBSD?

bsdjunkie
August 6th, 2003, 17:09
. Any way to do that with OpenBSD?

Of course there is =) With tables and dynamic blocking in pf it would be fairly easy.

Heres a good link explaining how Daniel did it with web bots

http://marc.theaimsgroup.com/?l=openbsd-pf&m=104540589312892&w=2

pick-master
August 6th, 2003, 17:19
To eliminate all those attacks you can use these or a similar combination:

SetEnvIf Request_URI "^/default.ida" attacks
SetEnvIf Request_URI "^/scripts" attacks
SetEnvIf Request_URI "^/c/winnt" attacks
SetEnvIf Request_URI "^/_mem_bin" attacks
SetEnvIf Request_URI "^/_vti_bin" attacks
SetEnvIf Request_URI "^/MSADC" attacks
SetEnvIf Request_URI "^/msadc" attacks
SetEnvIf Request_URI "^/d/winnt" attacks

CustomLog /var/www/logs/access_log combined-gzip env=!attacks
CustomLog /var/www/logs/attack_log combined-gzip env=attacks

For log processing go to http://awstats.sourceforge.net/

and it will allow to compile statistics on the fly without stopping the server or rotating your logs.

jedaffra
August 6th, 2003, 20:41
SetEnvIf Request_URI "^/default.ida" attacks
SetEnvIf Request_URI "^/scripts" attacks
SetEnvIf Request_URI "^/c/winnt" attacks
SetEnvIf Request_URI "^/_mem_bin" attacks
SetEnvIf Request_URI "^/_vti_bin" attacks
SetEnvIf Request_URI "^/MSADC" attacks
SetEnvIf Request_URI "^/msadc" attacks
SetEnvIf Request_URI "^/d/winnt" attacks

Thanks Pick-Masta - but I have to ask, are these lines supposed to go in pf.conf? or httpd.conf? And what is actually happening here? :?

Same questions for these lines

CustomLog /var/www/logs/access_log combined-gzip env=!attacks
CustomLog /var/www/logs/attack_log combined-gzip env=attacks

v902
August 6th, 2003, 20:44
httpd.conf, and is it uses SetEnvIf to see if the Requested URL is /default.ida or any of of those things it is stored in the array (?) attacks for future use...


Then it uses CustomLog to make 2 custom logs for you in /var/www/logs, it says env=!attacks so that you don't see objects in the attacks array, then it puts all hits except hits that are in attacks in access_log, and then puts all objects IN the attacks array in attack_log

jedaffra
August 6th, 2003, 20:48
it says env=!attacks so that you don't see IIS scans and other attacks in access log but instead puts attack in attack_log....

Awesome vlad, tnx for the exp :)

pick-master
August 7th, 2003, 13:01
Evrything goes into httpd.conf, combined-gzip is in fact your combined log.

[quote:b8352301d9="pick-master"]SetEnvIf Request_URI "^/default.ida" attacks
SetEnvIf Request_URI "^/scripts" attacks
SetEnvIf Request_URI "^/c/winnt" attacks
SetEnvIf Request_URI "^/_mem_bin" attacks
SetEnvIf Request_URI "^/_vti_bin" attacks
SetEnvIf Request_URI "^/MSADC" attacks
SetEnvIf Request_URI "^/msadc" attacks
SetEnvIf Request_URI "^/d/winnt" attacks

Thanks Pick-Masta - but I have to ask, are these lines supposed to go in pf.conf? or httpd.conf? And what is actually happening here? :?

Same questions for these lines

And these also in httpd.conf,

CustomLog /var/www/logs/access_log combined-gzip env=!attacks
CustomLog /var/www/logs/attack_log combined-gzip env=attacks[/quote:b8352301d9]