[Wylug-help] logwatch
Roger
roger at roger-beaumont.co.uk
Tue Jun 29 08:53:56 UTC 2010
On 29/06/2010 09:01, Lee Evans wrote:
> You may find that no 'site' was tested at all - most of the bots out there
> run directly against IP addresses rather than hostnames (thus eliminating
> overhead/failure due to DNS resolution).
>
> However assuming that you've got all your sites / virtualhosts logging to
> different log files it should be a relatively simple if rudimentary task to
> run a "grep -rl environ *" for example to see which log file contains the
> string you're looking for
On 29/06/2010 08:19, John Hodrien wrote:
> Can you not just grep /var/log/httpd/* for those IPs?
Thanks both, I must have been having a 'senior moment' - of course grep
is what I need! Duh!
Roger
> -----Original Message-----
> From: wylug-help-bounces at wylug.org.uk
> [mailto:wylug-help-bounces at wylug.org.uk] On Behalf Of Roger
> Sent: 28 June 2010 23:15
> To: wylug-help at wylug.org.uk
> Subject: [Wylug-help] logwatch
>
> Hi,
>
> I serve a number of websites up-line from my LAN server to the internet.
>
> logwatch often reports probes - by far most unsuccessful.
>
> AFAIK the majority of 'successful' probes actually only show the hackers a
> root page.
>
> My question is because logwatch doesn't report which site (they are all on
> the same IP number) was probed. Today the report includes:
>
> ------------------------------------------------------------------
> A total of 2 sites probed the server
> 200.63.97.74
> 213.251.189.204
>
> A total of 2 possible successful probes were detected (the following URLs
> contain strings that match one or more of a listing of strings that
> indicate a possible exploit):
>
>
> //?page=../../../../../../../../../../../../../../../../../../../../../../..
> /../../../../../../../../../../../../../../../../../../../../../../../../../
> ../../../proc/self/environ%00
> HTTP Response 200
>
> //?page=../../../../../../../../../../../../../../../../../../../../../../..
> /../../../../../../../../../../../../../../../../../../../../../../../../../
> ../../../proc/self/environ
> HTTP Response 200
> ------------------------------------------------------------------
>
> Does anyone know a short-cut to testing out which site those might have
> been? Basically, how can I see which log files logwatch has been watching?
>
> (or any useful answer to the question I should have asked...)
>
> Roger
>
> ______________________________________________________________________
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email
> ______________________________________________________________________
>
> _______________________________________________
> Wylug-help mailing list
> Wylug-help at wylug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/wylug-help
>
>
>
> ______________________________________________________________________
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email
> ______________________________________________________________________
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
More information about the Wylug-help
mailing list