By Charly Kühnast
From time to time, I browse my web server logfiles, although this isn't something I like to do too often. After all, I get to see enough of the pesky things at work. When I do check my own logs, it typically has to do with debugging, but I also tend to find "wrong number" type entries. Sometimes you get strange entries like:
tharis.xxxxx.at - - [03/Dec/2005:08:24:43 +0100] "GET /LOST HTTP/1.1" 404 1025 "-" "Mozilla/4.0"
Although this message looks pretty offensive, it is actually quite harmless. On other occasions, I find people attempting to navigate to URLs belonging to applications that have been featured in recent security advisories. In the past few weeks, for example, I have read advisories concerning PhpMyAdmin and PhpBB. Attempts to access files with suffixes such as .mdb and .asp, are telltale signs of unfriendly fire. Listing 1 shows an excerpt.
It is good to know exactly which queries against your server have drawn blanks. In fact, this is a way of discovering attack patterns that might cause other servers some headaches.
Listing 1: Web Server Access |
01 cncln.online.ln.cn - - [05/Dec/2005:22:09:04 +0100] "GET /bbs/upload.asp?action=upfile HTTP/1.1" 404 1025 "-" "InetURL:/1.0" 02 58.241.228.180 - - [06/Dec/2005:03:32:54 +0100] "GET /bbs/diy.asp HTTP/1.1" 404 1025 "-" "Mozilla/4.0" 03 222.62.228.179 - - [06/Dec/2005:07:19:49 +0100] "GET /bbs/diy.asp HTTP/1.1" 404 1025 "-" "InetURL:/1.0" 04 220.191.42.203 - - [13/Oct/2005:10:12:23 +0200] "GET /data/dvbbs6.mdb HTTP/1.1" 404 1025 "-" "InetURL:/1.0" 05 220.191.42.203 - - [13/Oct/2005:10:12:24 +0200] "GET /data/dvbbs7.mdb HTTP/1.1" 404 1025 "-" "InetURL:/1.0" |
Enter Webalizer, the admin's friend. Patrick Frei has written a patch for Webalizer that gives admins additional statistics concerning requests that triggered a 404 - File not found response from the server. Figure 1 shows these statistics for my web server from December 6, 2005. You can see at a glance that the entries I discovered are not just isolated cases. You can also see a couple of dead links I will need to remove.
The Webalizer source code (including the applied patch) is available from [1]. Just do the following to build and install:
./configure make make install
You will need the Zlib, Libpng, and GD packages, along with the matching devel packages. A patch that converts the original Webalizer source code to "Webalizer Xtended" is available at [1]. To apply the patch, change to the Webalizer source code directory and give the following command:
patch -Np1 -i /Pfad /webalizer-2.01-10-RB06-patch
Then go on to build Webalizer as described previously. The whole thing is even easier for Gentoo users, as a ready-to-run Ebuild is available. Happy wrong numbers!
INFO |
[1] Webalizer Xtended: http://www.webalizer.go.to
|
THE AUTHOR |
Charly Kühnast is a Unix System Manager at the data-center in Moers, near Germany's famous River Rhine. His tasks include ensuring firewall security and availability and taking care of the DMZ (demilitarized zone). |