Saturday, January 30, 2010

SANS Article -- Weathering the Storm Part 2

Weathering the Storm Part 2 @ http://blogs.sans.org/appsecstreetfighter/2010/01/29/weathering-the-storm-part-2-a-day-of-weblogs-at-the-internet-storm-center/

This is pretty cool. This article describes how to parse web server logs for RFI (remote file inclusion). It actually pinpoints the URLs that contain the malicious code.

At first I had an issue in following the logic of the write-up, but when I looked at the scripting, I edited it slightly and used the following:

cat access_log | cut -f2 -d'"' access_log* | grep '=http' | grep -v 'utmr=http' | sed 's/.*=http/http/' | uniq -c | sort -rn > /root/WTSP2.txt


Yeah, I unzipped the .gz files so that I could have the script parse ALL of the access logs. The result is here.

For people who want to perform forensics on these URLs, have at it but note that some of the links may be old and may no longer exist (or may be blocked or purposely taken down).