next up previous contents index
Next: Passwords Up: Logs Previous: Logs   Contents   Index

What to look for?

When looking through the logs there are some things to look for. Buffer overflow attacks are usually full of extra long lines. Here is an exerpt from the /var/log/httpd/error_log: 

10.9.8.7 - - [08/May/2002:15:03:09 -1000] "GET /default.ida?NNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858
%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u00
03%u8b00%u531b%u53ff%u0078%u0000%u00=a  HTTP/1.0" 400 326 "-" "-
"
10.13.15.17 - - [08/May/2002:23:17:15 -1000] "GET /default.ida?N
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6
858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%
u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a  HTTP/1.0" 400 326 "-"
 "-"

This is what the Code Red worm looks like. These should give you at least an idea of what a buffer overflow attack looks like. Sometimes attackers try to start someting on your machine take at this exerpt from the /var/log/httpd/error_log: 

[Mon May 27 16:26:58 2002] [error] [client 10.10.10.10] File does
not exist: /var/www/html/msadc/..%5c../..%5c../..%5c/..^\../..^\.
./..^\../winnt/system32/cmd.exe
[Mon May 27 16:38:53 2002] [error] [client 10.11.12.13] File does
not exist: /var/www/html/robots.txt

The first line was a Nimda attack that should not really bother Linux users, but you should be aware of it. The second line is the request of a search engine that is looking for the robots.txt file to guide it in its mapping your web site. Search engines spiders are good if you want to be indexed into a search engine.

You should also consider logs such at the lastlog and the /etc/passwd file. To see when users logged in type: 

bash# last | less

That will give you all of the logins for the current month. You should also check the password file to see if new accounts were created. Here is an example of a good account and a bad one: 

root:x:0:0:root:/root:/bin/bash
root2:x:0:0:root2:/root:/bin/bash

If there is more than one account with 0 for the uid then you might have a problem. Attackers usually set up extra accounts with root privledges and use them to login. The root account is good, but you have to think, ``Where did root2 come from?''

next up previous contents index
Next: Passwords Up: Logs Previous: Logs   Contents   Index
Joseph Colton 2002-09-24