Web server logs contain all requests that your web server serves, hence they are the location where one should look at periodically to determine if there are any threats being exploited or the number of attacks the server is encountering. If you have a standard web application like WordPress, Drupal, Joomla, DotNetNuke and others, exploits are always being discovered and keeping the site updated does not mean that your site is invincible. Custom applications on the other hand could be more vulnerable and since no updates are available checking for threats is crucial to ensure that your website is safe.
Analyzing the log file
Apache Logs Viewer can open different web server logs for all servers such as Apache, IIS, and nginx. This section will help you understand what you should look for.
Country Analysis
Typically attacks can come from certain countries. If your website is targeted for a single country, then you can easily start digging if the other visitors are just stumbling on your website or looking for something malicious.
Status Analysis
Inspecting the countries and the status, typically gives some more indication of what’s going on. Typically attacks start by having the attacker try out several URLs which can be exploited. Typically the server will reply with a 404 error or a 500 error indicating an error in the request either from the client side or the server side.
Request Analysis
After filtering out the country and status one can start looking deeper into the requests and what request commands are passed. There can be various incidents that lead to an attack.
Typically you should look for requests which:
- DDos Attacks
- These typically are valid requests over and over again, which will make your web server slower.
- Lead to a buffer overflow
- \xf9\xa9\xa5\xcc\xa87\x17,b\xfe%\xb4C\x8f\xf3\xf9\xd4\xb4K\xb9Z\x90\x06>?\xf6\xddz\xf3P\xd3{ \xa8
- \xf5@~\xcc\r\xfdKJ\x0c=u[c\xfb+3\x88\xd2%z
- Attacks to login forms#
- GET /wp-login.php HTTP/1.0
- Attacks to web application setups
- Eg GET /phpMyAdmin/scripts/setup.php HTTP/1.1
- GET /pma/scripts/setup.php HTTP/1.1
- SQL injection command
-
GET /apps/SiteVerify/download.php?new=999999.9%20union%20all%20select%200x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536-- HTTP/1.1
-
Determining attacks
Looking at the above it might be very easy and trivial to find attacks, but this varies on the type of attack and how vulnerable your server is. Typically attacks are easy to detect, however some are very complex and for example only send a request every X minutes to make it less obvious and hope to go undetected.
Combating such issues
There is no easy way and straight forward way to combat such issues. If you have a custom web site then it all depends how securely it was built. On the other hand if you have a standard web application make sure that it’s updated and not just the platform but also the installed plug-ins, since these could pose a greater risk.
Make sure your passwords are complex, especially to the administrative part of your website, or for terminal services to your web server, although even a lot of harm can be done with just administrative access to your CMS.
In terms of custom applications make sure that they are robust and do not allow any SQL injection which could compromise your database server.
Threat analysis can be tricky but Apache Logs Viewer helps you by allowing to filter and see the log file with a different view.
