![]() ![]() The above command filters access.log and shows only records with strings containing wp-admin, which is the default administration folder of WordPress, wp-login, which is part of the login file of WordPress ( wp-login.php), and finally, POST, which will show HTTP requests sent to the server using the POST method, which are most likely login form submissions. var/log/apache2/access.log | grep -E "wp-admin|wp-login|POST /" Instead of ruling out some data, we will filter access.log for WordPress-specific characteristics. In this case, however, since the website is running the WordPress web application, we will use a slightly different approach. Some investigators also prefer to strip out JavaScript files too. That usually includes resources such as images and CSS stylesheets. The access.log tends to be quite a large file, often containing thousands of recorded requests. Let us assume that in our example, the web server access.log is available. Usually, evidence of an attack involves direct access to hidden or unusual files, access to the administration area with or without authentication, remote code execution, SQL injection, file inclusion, cross-site scripting (XSS), and other unusual behavior that might indicate vulnerability scanning or reconnaissance. In order to start an investigation, the investigator needs to identify what evidence to look for. However, since there are no plans to pursue legal action against the attacker, in this case, the forensic team can work on original data. ![]() To identify malicious activity on the web server, you often create a forensically sound copy of the server and then proceed with the investigation. The server is isolated to preserve the current state of the system and its logs, block remote access to the attacker (in the case a backdoor was installed), as well as prevent interaction with any other machines on the network. Let’s also assume that the site was a simple and up-to-date WordPress website running on a fully-patched Ubuntu Server.Īfter reaching out for help, the forensic team took the server offline to be able to proceed with the investigation. Let’s assume that a website that we administer got defaced. Having established that a log file is a critical asset, let’s look at an everyday example of how a log file would help identify when, how and by whom a website was hacked. This information might not be too interesting, but what if the log file has shown that a visitor with IP 88.54.124.178 requested the dump_database.php file on April 16th 2016 07:44 and the request was successful? In the absence of that log file, you might have never known that someone discovered and ran a secret or restricted script that you have on your website and that dumps the database. The above log shows that a visitor with an IP address 88.54.124.178 requested the main.php file on April 16th 2016 07:44 and the request was successful. ![]() The access.log records all requests for files. Usually, the Apache HTTP Server provides two main log files – access.log and error.log. Let’s take a backend web server as an example. This kind of information can help us monitor the performance, troubleshoot and debug applications, as well as help forensic investigators unfold the chain of events that may have led to malicious activity. Log files provide us with a precise view of the behavior of a server as well as critical information like when, how, and by whom a server is being accessed. A log file records events and actions that take place during the run time of a service or application. Almost all servers, services, and applications provide some sort of logging. A log file is an extremely valuable piece of information that is provided by a server. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |