I am checking my web server logs to track an adversary. Any useful tips?
Logs are like the "black box" in an aircraft, they are the primary sources of clues in the event of an incident. A typical web server log is as shown below.
192.168.0.1 - - [02/Jun/2006:06:56:12 +0530]
"GET /Demo/page2.htm HTTP/1.0" 200 5593
Each time a page is downloaded or a CGI script is run from a web browser, the web server records the following information into its log file:
- Site-either an IP address or the symbolic name of the site making the HTTP request. In the example, remote host is 192.168.0.1
- LogName-login name of the user who owns the account that is making the HTTP request. Most remote sites don't give out this information for security reasons. If this field is disabled by the host, we will see a dash (-) instead of the login name
- FullName-full name of the user who owns the account that is making the HTTP request. Most remote sites don't give out this information for security reasons. If this field is disabled by the host, we will see a dash (-) instead of the full name. If the server requires a user id in order to fulfill an HTTP request, the user id will be placed in this field
- Date-date of the HTTP request. In the example, the date is 02/Jun/2006
- Time-time of the HTTP request. The time will be presented in 24-hour format. In the example, the time is 06:56:12
- GMToffset-signed offset from Greenwich Mean Time. In the example, the offset is +0530, Five and a half hours after GMT
- Request-HTTP command. For WWW page requests, this field will always start with the GET command. In the example, the request is GET
- File-path and filename of the requested file. In the example line the file is /Demo/page2.htm
- Proto-type of protocol used for the request. In the example, HTTP 1.0 is used.
- Status-status code generated by the request. In the example, the status is 200
- Length-length of requested document. In the example, the length is 5593 bytes
While tracking down an attacker, the fields we should be looking at are:
- The Site field for the source IP address or the source hostname
- The Date field for the date of attack
- The Time field for the time of attack
- The GMT offset field for the origin of the attack
This information can be combined with other log files such as login/ logout information from the Internet service providers, or logs from mail servers to discover the actual identity of the attacker. In most of the cases, ISPs dynamically assign IP addresses to computers each time they dial in. From the Webservers logs, we will know that the attacker accessed the server from a dynamically assigned IP from a particular ISP. Then we will have to approach that ISP to check their log files to find out who was assigned that IP then.
Another situation is when the attacker accesses the web server through his company’s proxy. Here the Webserver records the proxy’s address and not the actual attacker’s machine address. In this case, we will have to approach the company to run a check on their proxy server’s logs to find the actual attacker. Thus, while conducting forensic analysis to track down an attacker, prompt assistance and co-ordination from ISP’s and other organizations is required.