Finding A hacker using Abyss logs

 
Post new topic   Reply to topic    Aprelium Forum Index -> Tutorials
View previous topic :: View next topic  
Author Message
TRUSTAbyss
-


Joined: 29 Oct 2003
Posts: 3752
Location: USA, GA

PostPosted: Sat Feb 07, 2004 4:29 pm    Post subject: Finding A hacker using Abyss logs Reply with quote

Because this information is kind of to big , I have created
an online web page for this tutorial , I hope you like it.

http://os17fan.cjb.net/find_hacker.html
Back to top View user's profile Send private message Visit poster's website
Anonymoose
-


Joined: 09 Sep 2003
Posts: 2192

PostPosted: Sat Feb 07, 2004 5:58 pm    Post subject: Reply with quote

That's great, but all it really is is a tutorial of how to find when you've been scanned by a machine infected by one of the IIS viruses - very few 'hackers' sit and scan manually for these vulnerabilities, all you're seeing is an automated scan from a remote machine and quite frankly most ISPs give less than a damn about it... Autogenerated attack logs and emails to their abuse department quite frankly just piss them off.

You'd be better off looking through for people who've tried to exploit your server manually with encoded urls, double ../'s attempting to escape the server root etc, however, if you're that bothered, have a look at scripts like the one below -

http://www.jeroen.se/warnisp_man.html

Not only will it scan your log for worms attacks, it also attempts to find the ISP's abuse department email address and automatically emails them the log snippet plus a complaint.

Personally, I'd just note the IP and add it to your ban list, or even the whole subnet the infected machine came from. You can always unban individuals who have problems connecting...
Back to top View user's profile Send private message
TRUSTAbyss
-


Joined: 29 Oct 2003
Posts: 3752
Location: USA, GA

PostPosted: Sat Feb 07, 2004 6:18 pm    Post subject: Reply with quote

I think I know that thats not very harmless of a attack
maybe just a worm or something , but you can never
be too carefull about exploits , later! 8)
Back to top View user's profile Send private message Visit poster's website
Shadbolt
-


Joined: 09 Dec 2008
Posts: 12

PostPosted: Fri Jan 09, 2009 4:32 am    Post subject: Reply with quote

I hope this rather old thread is a good place to ask my questions.

I have just been hit with what I think is a bot net “attack”. Over the last 24 hours I have been receiving numerous almost identical malicious requests for non-existent documents from my server. These have come from all over Europe with a few in the USA for good measure. I traced the IPs of the first dozen or so and sent an e-mail to the appropriate “abuse” address with an excerpt from the logs.

Contrary to the statement by Anonymoose, I was pleasantly surprised how many ISPs responded and dealt the infections on their clients’ computers.

HOWEVER, my enthusiasm for this process is waning! Manually looking up the party responsible for each “bad” IP, creating an e-mail, copying the relevant log extract into it, and sending it to the abuse e-mail address seems like a job a computer ought to be doing almost automatically.

MY QUESTION…. Has anyone written a program to parse the ACCESS.LOG file, present a list of “dodgy entries” for human assessment –I’m visualizing a page with good / bad check boxes next to the relevant log entries– look up the responsible party for each “bad” IP, extract the abuse e-mail address from the whois information, and send an e-mail containing the relevant log entries?

BTW, it looks as though the Abyss web server software has performed flawlessly, rejecting all bogus requests.
_________________
Thou art a very brute - but even brutes must marry, I suppose.
Back to top View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Aprelium Forum Index -> Tutorials All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB phpBB Group