Recently, I was asked to help someone out after their server had
been hacked and their web site was defaced. We were able to use the
Web Access Logs to track down the attack, and I am going to post an
overview of what we did in case you ever run into a similar
problem.
If your web site has been defaced and your server compromised, the
first thing you probably did was load up your back-ups (you did
save all your work off-line somewhere, right?). After that, you
checked your server logs, and most likely you found that they had
been deleted. When a hacker compromises your system, one of the
main things they will do is take out the logs, so that there is no
record of what they have done.
However, 9 times out of 10, these hackers overlook your web
access-log. On more than one occassion I've seen this used as the
starting point of an investigation to track down the origin of the
attack.
Typically, a hacker will use an anonymous proxy while they are
defacing your web site. However, after they are all finished with
their work, thinking they are now in the clear, they invariably use
their undisguised IP Address to access your site and view their
handiwork.
Let's say that you have a very simple website, consisting of one
page (index.html) and one image (logo.gif). We'll
keep this example simple and say that the hacker only changed one
thing when your web site was defaced: adding a new .gif image as a
way of signing his work (we'll call it
hackerslogo.jpg).
If your web access-log is still intact, you can use this to get an
idea of where the attack came from. Here's a simplified web log
(some of the content has been removed for brevity, and the IP
Addresses are fake), containing activity before and after the
defacement:
999.999.999.1 - - [13/Oct/2002:04:46:27 -0800] "GET index.html" "http://www.yoursite.com" "Mozilla/4.0 etc."
999.999.999.1 - - [13/Oct/2002:04:46:27 -0800] "GET logo.gif" "http://www.yoursite.com" "Mozilla/4.0 etc."
888.999.777.7 - - [13/Oct/2002:04:47:57 -0800] "GET index.html" "http://www.yoursite.com" "Mozilla/4.0 etc."
888.999.777.7 - - [13/Oct/2002:04:47:57 -0800] "GET logo.gif" "http://www.yoursite.com" "Mozilla/4.0 etc."
555.444.555.1 - - [13/Oct/2002:04:48:27 -0800] "GET index.html" "http://www.yoursite.com" "Mozilla/4.0 etc."
555.444.555.1 - - [13/Oct/2002:04:48:27 -0800] "GET logo.gif" "http://www.yoursite.com" "Mozilla/4.0 etc."
555.444.555.1 - - [13/Oct/2002:04:48:27 -0800] "GET hackerslogo.jpg" "http://www.yoursite.com" "Mozilla/4.0 etc."
666.499.595.1 - - [13/Oct/2002:04:49:27 -0800] "GET index.html" "http://www.yoursite.com" "Mozilla/4.0 etc."
666.499.595.1 - - [13/Oct/2002:04:49:27 -0800] "GET logo.gif" "http://www.yoursite.com" "Mozilla/4.0 etc."
666.499.595.1 - - [13/Oct/2002:04:49:27 -0800] "GET hackerslogo.jpg" "http://www.yoursite.com" "Mozilla/4.0 etc."
777.111.222.4 - - [13/Oct/2002:04:50:27 -0800] "GET index.html" "http://www.yoursite.com" "Mozilla/4.0 etc."
777.111.222.4 - - [13/Oct/2002:04:50:27 -0800] "GET logo.gif" "http://www.yoursite.com" "Mozilla/4.0 etc."
777.111.222.4 - - [13/Oct/2002:04:50:27 -0800] "GET hackerslogo.jpg" "http://www.yoursite.com" "Mozilla/4.0 etc."
655.999.999.1 - - [13/Oct/2002:04:51:27 -0800] "GET index.html" "http://www.yoursite.com" "Mozilla/4.0 etc."
655.999.999.1 - - [13/Oct/2002:04:51:27 -0800] "GET logo.gif" "http://www.yoursite.com" "Mozilla/4.0 etc."
911.999.777.7 - - [13/Oct/2002:04:52:57 -0800] "GET index.html" "http://www.yoursite.com" "Mozilla/4.0 etc."
911.999.777.7 - - [13/Oct/2002:04:52:57 -0800] "GET logo.gif" "http://www.yoursite.com" "Mozilla/4.0 etc."
|
Looking at this log, we know that in this case, we're going to be
interested in the three IP Addresses that hit our website between
4:48 and 4:50. We were able to limit it to these three IPs because
those were the only ones that accessed "hackerslogo.jpg" (in this
example, we're going to say that the original website was put back
up at 4:50:28, right after the third visit to the hacked page).
Because the hacker had to check his work (and chances are, he used
his own IP Address to do this), his IP will come up in the logs as
one of the visitors that performed a GET on hackerslogo.jpg.
Now that we have a few suspected IP Addresses, we can perform a Reverse DNS Lookup to get an idea of
where the attack came from. From that point, you can contact the
associated ISP and begin to resolve your problem.
Of course, on a typical server receiving an average amount of web
traffic, your log is going to be a lot bigger than the one in this
example. My suggestion is to focus on the first five minutes of
logged IP addresses that show up with the hacked web page and
images. Then (after installing the latest patches for your server!)
you can begin the process of finding your attacker.
Related Links: Reverse DNS Lookup
Comment on this article or ask us a
question: click here ! |