Web Server Stats: What to do with hax0r traffic
In my ongoing quest to produce a measure of real human use of the site, I now come to malicious traffic.
First thing: how to identify malicious traffic?
In an earlier post I describe creating Fake hacker targets like /_vti_bin/owssvr.dll (on our LAMP server). I could grep access logs for known malicious URLs like that. Problem: high maintenance. The bad guys are always discovering and trying new vulnerabilities, and I would have to somehow keep up.
I could look for large numbers of 404s per host, since probes for vulnerabilities will fail. (Well, they would if I removed the fake targets.)
First thing: how to identify malicious traffic?
In an earlier post I describe creating Fake hacker targets like /_vti_bin/owssvr.dll (on our LAMP server). I could grep access logs for known malicious URLs like that. Problem: high maintenance. The bad guys are always discovering and trying new vulnerabilities, and I would have to somehow keep up.
I could look for large numbers of 404s per host, since probes for vulnerabilities will fail. (Well, they would if I removed the fake targets.)
Labels: 404, Apache log, hacker, System Administration, web server logs
posted by Steve Stanley at
1:57 PM
0 Comments:
Post a Comment
Subscribe to Post Comments [Atom]
<< Home