The Sysadmin's Daily Grind: Webalizer Xtended

Wrong Number!

Webalizer is a tool for analyzing web server logfiles. A new patch lets admins see what isn't there.

By Charly Kühnast

From time to time, I browse my web server logfiles, although this isn't something I like to do too often. After all, I get to see enough of the pesky things at work. When I do check my own logs, it typically has to do with debugging, but I also tend to find "wrong number" type entries. Sometimes you get strange entries like: - - [03/Dec/2005:08:24:43
 +0100] "GET /LOST HTTP/1.1" 404 1025 "-"

Although this message looks pretty offensive, it is actually quite harmless. On other occasions, I find people attempting to navigate to URLs belonging to applications that have been featured in recent security advisories. In the past few weeks, for example, I have read advisories concerning PhpMyAdmin and PhpBB. Attempts to access files with suffixes such as .mdb and .asp, are telltale signs of unfriendly fire. Listing 1 shows an excerpt.

It is good to know exactly which queries against your server have drawn blanks. In fact, this is a way of discovering attack patterns that might cause other servers some headaches.

Listing 1: Web Server Access
01 - - [05/Dec/2005:22:09:04 +0100] "GET /bbs/upload.asp?action=upfile HTTP/1.1" 404 1025 "-" "InetURL:/1.0"
02 - - [06/Dec/2005:03:32:54 +0100] "GET /bbs/diy.asp HTTP/1.1" 404 1025 "-" "Mozilla/4.0"
03 - - [06/Dec/2005:07:19:49 +0100] "GET /bbs/diy.asp HTTP/1.1" 404 1025 "-" "InetURL:/1.0"
04 - - [13/Oct/2005:10:12:23 +0200] "GET /data/dvbbs6.mdb HTTP/1.1" 404 1025 "-" "InetURL:/1.0"
05 - - [13/Oct/2005:10:12:24 +0200] "GET /data/dvbbs7.mdb HTTP/1.1" 404 1025 "-" "InetURL:/1.0"

Detecting 404 Patterns

Enter Webalizer, the admin's friend. Patrick Frei has written a patch for Webalizer that gives admins additional statistics concerning requests that triggered a 404 - File not found response from the server. Figure 1 shows these statistics for my web server from December 6, 2005. You can see at a glance that the entries I discovered are not just isolated cases. You can also see a couple of dead links I will need to remove.

Figure 1: Webalizer Xtended showing the wrong-number statistics for December 6.

The Webalizer source code (including the applied patch) is available from [1]. Just do the following to build and install:

make install

You will need the Zlib, Libpng, and GD packages, along with the matching devel packages. A patch that converts the original Webalizer source code to "Webalizer Xtended" is available at [1]. To apply the patch, change to the Webalizer source code directory and give the following command:

patch -Np1 -i /Pfad

Then go on to build Webalizer as described previously. The whole thing is even easier for Gentoo users, as a ready-to-run Ebuild is available. Happy wrong numbers!

[1] Webalizer Xtended:

Charly Kühnast is a Unix System Manager at the data-center in Moers, near Germany's famous River Rhine. His tasks include ensuring firewall security and availability and taking care of the DMZ (demilitarized zone).