[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Log info Question and Script for Code Red Logging
- Subject: Re: [cobalt-security] Log info Question and Script for Code Red Logging
- From: Ted Behling <TBehling@xxxxxxxxxxxxx>
- Date: Sat, 04 Aug 2001 16:45:09 -0400
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
At 03:28 PM 8/4/01 -0400, Franklin S. Werren wrote:
>But my question is which or where is the logs for
>the Qube 3, Raq 3 and Raq 4 that I can use ?...
>
>And on my Qube 2 where is the daily log?...
On my RaQ3, today's log entries from after 4:02 AM are in
/home/log/httpd/access (/home/log/httpd is the real location of
/var/log/httpd). Older log entries are in
"/home/sites/SITENAME/logs/web.log" and "web.log.1". Perhaps others can
speak for the Qube and RaQ 4.
In case you care, log rotation is triggered by the cron daemon running
logrotate(8) daily (at 4:02 AM, says /etc/crontab). /etc/logrotate.conf
includes the config files in /etc/logrotate.d, one of which is called
"apache". The 'apache' config file runs an apparently-undocumented (!)
Perl script called /usr/local/sbin/split_logs. If you were to read that
Perl script, you'd find it puts your older log entries in the files
specified above.
I wonder why Cobalt's engineers don't just specify different TransferLog
directives for each <VirtualHost>...
>I did include my script for useage by others...
>(This is for my Qube 2) just set the attribs to 755
>Call it red.cgi or codered.cgi... It works for me!
Thanks for posting that script! I'm sure many will find its results
interesting. As matters of personal preference, I would've written the
intial print statements using a Here Document ("print <<EOF") to clean up
the syntax, assigned the backticks' output directly to an array ("@hits =
`cat...`") to save a split(), and indented the for loop for readability.
As I say, they're just preferences, and TMTOWTDI.
You can include both your current and old log files in the report by using
"cat logfile1 logfile2 |..."; it'll take more than one filename parameter.
(BTW, your message may have been more appropriate for the cobalt-developer
list than cobalt-security.)
>#!/usr/bin/perl
>#
>print "Content-type: text/html\n\n";
>print "<HTML>\n";
>print "<TITLE>Code Red Results</TITLE>\n";
>print "<HEAD>\n";
>print "</HEAD>\n";
>print "<body>\n";
>print qq¦<font face="verdana" size="3">\n¦;
>print "<pre>\n";
>print "\nAnalysing WebServer Logs ...\n\n";
>print "<br><p>\n";
>
># Change this line to path to the right log file
>
>$hits = `cat /home/log/httpd/home-access | grep "default.ida\?NNNN"`;
>#
>
>@hits = split(/\n/,$hits);
>foreach $hit (@hits) {
>($ip) = $hit =~ /(\d+\.\d+\.\d+\.\d+)/;
>($time) = $hit =~ /\[([^\]]*)\]/;
>print "Time of Attack $time IP Address of Attacker $ip\n"; };
>print "<br>\n";
>print "\nFound ",($#hits+1)," probes from 'Code Red' worms !!\n\n";
>print "</pre>\n";
>print "</body>\n";
>print "</html>\n";
--------------------------------------------------------------------------
Ted Behling, Web Application Developer - Monarch Information Systems, Inc.
43 Folly Field Road, Unit 4, Hilton Head Island, SC 29928-5434
E-mail: mailto:TBehling@xxxxxxxxxxxxx
Phone/Fax: 1-800-842-7894 Local or Outside the USA: 1-843-842-7894
Cell Phone (urgent issues): 843-816-7895
Cell Phone E-mail: mailto:TedPhone@xxxxxxxxxxxxx (116 letter limit)
Web site: http://www.MonarchIS.net
--------------------------------------------------------------------------