Posted on

01-Feb-2007

WEBLOGSCAN
I Finally got some time to create the procedure to scan the webserver’s access-logs for attempts to do some harm to the site. It’s still very basic but the outcome looks good. And in Dianam, it takes about 4 second to scan 1000 lines. Roome enough, though, for some improvements, but the basis looks promising.
Just an excerpt:
================================================================================
LOG=HT_ROOT:[LOG]WWW_80_20061211_ACCESS.LOG;1
================================================================================
65.222.176.122 - - [11/Dec/2006:18:20:19 +0100] "s XP)" 501 694
65.222.176.122 - - [11/Dec/2006:18:36:11 +0100] "s XP)" 501 694
88.198.43.39 - - [12/Dec/2006:13:13:10 +0100] "HEAD / HTTP/1.1" 200 264
195.136.80.67 - - [13/Dec/2006:07:38:50 +0100] "HEAD / HTTP/1.1" 200 278
82.151.236.141 - - [14/Dec/2006:04:13:04 +0100] "HEAD / HTTP/1.1" 200 278
38.100.208.101 - - [15/Dec/2006:09:40:42 +0100] "HEAD /family/Holiday2003/22-ju
211.239.241.23 - - [15/Dec/2006:19:31:22 +0100] "OPTIONS / HTTP/1.0" 200 172
211.239.241.23 - - [15/Dec/2006:19:31:23 +0100] "OPTIONS /" 501 694
211.239.241.23 - - [15/Dec/2006:19:31:23 +0100] "- -" 0 0
211.239.241.23 - - [15/Dec/2006:19:31:29 +0100] "- -" 400 870
211.239.241.23 - - [15/Dec/2006:19:31:30 +0100] "- -" 0 0
211.239.241.23 - - [15/Dec/2006:19:31:35 +0100] "- -" 0 0
211.239.241.23 - - [15/Dec/2006:19:31:41 +0100] "- -" 0 0
211.239.241.23 - - [15/Dec/2006:19:31:46 +0100] "HELP -" 400 870
211.239.241.23 - - [15/Dec/2006:19:31:47 +0100] "- -" 0 0
211.239.241.23 - - [15/Dec/2006:19:31:52 +0100] "- -" 0 0
211.239.241.23 - - [15/Dec/2006:19:31:57 +0100] " default -" 400 870
211.239.241.23 - - [15/Dec/2006:19:31:58 +0100] "- -" 0 0

But I still have to look after GET’s of non-existing pages – mostly something PHP-based. These seem to be missing at the moment.

UPDATE
Minor changes cause them to show up as well:

================================================================================
LOG=HT_ROOT:[LOG]WWW_80_20070115_ACCESS.LOG
================================================================================
74.6.86.162 - - [15/Jan/2007:05:20:06 +0100] "GET / HTTP/1.0" 200 3439
74.6.87.71 - - [15/Jan/2007:05:20:15 +0100] "GET /No%0D%0Ate-email.htm HTTP/1.0
217.175.132.3 - - [15/Jan/2007:13:25:09 +0100] "GET / HTTP/1.0" 302 337
217.175.132.3 - - [15/Jan/2007:13:25:37 +0100] "GET / HTTP/1.0" 302 337
217.175.132.3 - - [15/Jan/2007:13:25:56 +0100] "GET / HTTP/1.0" 302 337
72.30.177.181 - - [15/Jan/2007:15:24:07 +0100] "GET /easy_access.htm HTTP/1.0"
66.194.6.80 - - [15/Jan/2007:16:33:53 +0100] "GET / HTTP/1.1" 200 3477
213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] "GET /a1b2c3d4e5f6g7h8i9/nonexi
213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] "GET /adxmlrpc.php HTTP/1.0" 40
213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] "GET /adserver/adxmlrpc.php HTT
213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] "GET /phpAdsNew/adxmlrpc.php HT
213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] "GET /phpadsnew/adxmlrpc.php HT
213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] "GET /phpads/adxmlrpc.php HTTP/
213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] "GET /Ads/adxmlrpc.php HTTP/1.0
213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] "GET /ads/adxmlrpc.php HTTP/1.0
213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] "GET /xmlrpc.php HTTP/1.0" 404

(This was taken from a 80-character screen so the right part is missing on most lines, but all data IS available)
The script needs some anhancements but will be available soon for download.