[Wylug-help] logwatch

Lee Evans lee at leeevans.org
Tue Jun 29 08:02:03 UTC 2010 

Hi Roger

You may find that no 'site' was tested at all - most of the bots out there
run directly against IP addresses rather than hostnames (thus eliminating
overhead/failure due to DNS resolution). 

However assuming that you've got all your sites / virtualhosts logging to
different log files it should be a relatively simple if rudimentary task to
run a "grep -rl environ *" for example to see which log file contains the
string you're looking for


Hope that helps

Lee

-----Original Message-----
From: wylug-help-bounces at wylug.org.uk
[mailto:wylug-help-bounces at wylug.org.uk] On Behalf Of Roger
Sent: 28 June 2010 23:15
To: wylug-help at wylug.org.uk
Subject: [Wylug-help] logwatch

Hi,

I serve a number of websites up-line from my LAN server to the internet.

logwatch often reports probes - by far most unsuccessful.

AFAIK the majority of 'successful' probes actually only show the hackers a
root page.

My question is because logwatch doesn't report which site (they are all on
the same IP number) was probed.  Today the report includes:

------------------------------------------------------------------
A total of 2 sites probed the server
     200.63.97.74
     213.251.189.204

  A total of 2 possible successful probes were detected (the following URLs
  contain strings that match one or more of a listing of strings that
  indicate a possible exploit):

 
//?page=../../../../../../../../../../../../../../../../../../../../../../..
/../../../../../../../../../../../../../../../../../../../../../../../../../
../../../proc/self/environ%00
HTTP Response 200
 
//?page=../../../../../../../../../../../../../../../../../../../../../../..
/../../../../../../../../../../../../../../../../../../../../../../../../../
../../../proc/self/environ
HTTP Response 200
------------------------------------------------------------------

Does anyone know a short-cut to testing out which site those might have
been?  Basically, how can I see which log files logwatch has been watching?

(or any useful answer to the question I should have asked...)

Roger

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________

_______________________________________________
Wylug-help mailing list
Wylug-help at wylug.org.uk
https://mailman.lug.org.uk/mailman/listinfo/wylug-help

More information about the Wylug-help mailing list