View previous topic :: View next topic |
Author |
Message |
TRUSTAbyss -
Joined: 29 Oct 2003 Posts: 3752 Location: USA, GA
|
Posted: Sat Feb 07, 2004 4:29 pm Post subject: Finding A hacker using Abyss logs |
|
|
Because this information is kind of to big , I have created
an online web page for this tutorial , I hope you like it.
http://os17fan.cjb.net/find_hacker.html |
|
Back to top |
|
|
Anonymoose -
Joined: 09 Sep 2003 Posts: 2192
|
Posted: Sat Feb 07, 2004 5:58 pm Post subject: |
|
|
That's great, but all it really is is a tutorial of how to find when you've been scanned by a machine infected by one of the IIS viruses - very few 'hackers' sit and scan manually for these vulnerabilities, all you're seeing is an automated scan from a remote machine and quite frankly most ISPs give less than a damn about it... Autogenerated attack logs and emails to their abuse department quite frankly just piss them off.
You'd be better off looking through for people who've tried to exploit your server manually with encoded urls, double ../'s attempting to escape the server root etc, however, if you're that bothered, have a look at scripts like the one below -
http://www.jeroen.se/warnisp_man.html
Not only will it scan your log for worms attacks, it also attempts to find the ISP's abuse department email address and automatically emails them the log snippet plus a complaint.
Personally, I'd just note the IP and add it to your ban list, or even the whole subnet the infected machine came from. You can always unban individuals who have problems connecting... |
|
Back to top |
|
|
TRUSTAbyss -
Joined: 29 Oct 2003 Posts: 3752 Location: USA, GA
|
Posted: Sat Feb 07, 2004 6:18 pm Post subject: |
|
|
I think I know that thats not very harmless of a attack
maybe just a worm or something , but you can never
be too carefull about exploits , later! 8) |
|
Back to top |
|
|
Shadbolt -
Joined: 09 Dec 2008 Posts: 12
|
Posted: Fri Jan 09, 2009 4:32 am Post subject: |
|
|
I hope this rather old thread is a good place to ask my questions.
I have just been hit with what I think is a bot net “attack”. Over the last 24 hours I have been receiving numerous almost identical malicious requests for non-existent documents from my server. These have come from all over Europe with a few in the USA for good measure. I traced the IPs of the first dozen or so and sent an e-mail to the appropriate “abuse” address with an excerpt from the logs.
Contrary to the statement by Anonymoose, I was pleasantly surprised how many ISPs responded and dealt the infections on their clients’ computers.
HOWEVER, my enthusiasm for this process is waning! Manually looking up the party responsible for each “bad” IP, creating an e-mail, copying the relevant log extract into it, and sending it to the abuse e-mail address seems like a job a computer ought to be doing almost automatically.
MY QUESTION…. Has anyone written a program to parse the ACCESS.LOG file, present a list of “dodgy entries” for human assessment –I’m visualizing a page with good / bad check boxes next to the relevant log entries– look up the responsible party for each “bad” IP, extract the abuse e-mail address from the whois information, and send an e-mail containing the relevant log entries?
BTW, it looks as though the Abyss web server software has performed flawlessly, rejecting all bogus requests. _________________ Thou art a very brute - but even brutes must marry, I suppose. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|