[Dshield] apache log analyzer

dshield.org@keithbergen.com dshield.org at keithbergen.com
Wed May 18 15:00:45 GMT 2005

I found a Perl script that parsed the Access log file for certain patterns.
I made some significant modifications to it and use it for my own site.

Some of the bad parts are that it only parses 1 access log file (It could be
modified to parse access error logs). I only have a few signatures of
"attacks", and that hasn't been updated in quite a while. It runs slowly
because it parses the entire error log file (chomp didn't seem to speed it
up). It calls two small GIFs (of different colored dots) to produce a bar
chart. You can probably just create two to your liking.

Source is quoted here (Moderator can remove if that's against the rules and
I will send by request):

#!C:/perl/bin/perl.exe -w
# aTTACK cOUNTER v0.22 - filename: ac.pl
# Written by Marc Nause with vi.
# Questions? marc at audioattack.de * http://low.audioattack.de
# Last modified: Feb.01.2003 by Marc Nause
# This is free software. You may copy and change it the
# way you like it. You may not take any money for
# distributing it.
# This program reads the logfiles of the Apache server
# and shows how many times the server has been attacked by:
# - NIMDA	(worm)
# - CODE RED	(worm)
# - CGICHK	(scans for CGI scripts with known vulnerabilities)
# - WELCHIA/WEBDAV	(Some scanner that is similar to CGICHK, but I still
don't know what it is.)
# Major modifications from Marc's original code. Keith Bergen - March 30,
# - Now it runs as a CGI that generates the HTML code online so that you
don't need to 
#   run it and then open another file.
# - Removed all of the extraneous statements.
# - Fixed some perl problems - may have been identified because I use Perl
# - No longer uses separate header and footer files. They are incorporated
#   the code. This was a personal preference.
# - Show IP and date of last attack.
# - Removed the one called "thing". Never got a hit on that one anyhow.
# - Added the Webdav/Welchia exploit attempts.

# paths and filenames
$ffs="<font face=\"Georgia\" size=\"2\">";

# open logfile
open(FILE, $logfile) or die "Can't open $logfile!\n\n";

# Initialize Variables

while($line = <FILE>)
	#get dates
	$start = (index $line,"[")+1;
	$end = (index $line,"]")-6;
	$date = substr $line,$start,($end-$start);

	if ($requests == 1)
		$date1 = $date;
		$date2 = $date;

	#get IP address
	$ipend = (index $line, " ")+1;
	$ip = substr $line, 0, $ipend;

	#count NIMDA
	if ($line =~ /\/root\.exe\?\/c/i) {$countnimda++; $datenimda=$date2;
	if ($line =~ /\/cmd\.exe\?\/c/i) {$countnimda++; $datenimda=$date2;
	#count CODE RED
	if ($line =~ /\/default\.ida\?/i) {$countcodered++;
$datecodered=$date2; $ipcodered=$ip}
      if ($line =~ /SEARCH \/\\x90/i) {$countwebdav++; $datewebdav=$date2;

# close logfile
close FILE;

# calculate some stuff

if ($total < 1) {$total = 1;$total2 = 0} else {$total2 = 1}
$percentnimda = (($countnimda/$total)*100);
if ($percentnimda < 100) {$percentnimda = substr $percentnimda,0,2} else
{$percentnimda = 100}
if (($countnimda > 0)&&($percentnimda < 1)) {$percentnimda = 1}
$minusnimda = (100 - $percentnimda);

if ($percentcodered < 100) {$percentcodered = substr $percentcodered,0,2}
else {$percentcodered = 100}
if (($countcodered > 0)&&($percentcodered < 1)) {$percentcodered = 1}
$minuscodered = (100 - $percentcodered);
if ($percentwebdav < 100) {$percentwebdav = substr $percentwebdav,0,2} else
{$percentwebdav = 100}
if (($countwebdav > 0)&&($percentwebdav < 1)) {$percentwebdav = 1}
$minuswebdav = (100 - $percentwebdav);

print "Content-type:text/html\n\n";
print "<html><head><title>Attack Counter</title><body>";
print "$ffs";
print "$ffs<center>$total web server attacks - ($date1 to
print "<table border=\"2\">\n";

print "<tr><td>$ffs";
print "Attack</font></td><td>$ffs";
print "Count</font></td><td>$ffs";
print "Percent</font></td><td>$ffs";
print "Last Attempted Attack</font></td><td>$ffs";
print "Last Address</font></td></tr>";
if ($percentcodered > 0) {print "<tr><td align=\"left\">$ffs Code
Red</font></td><td align=\"right\">$ffs$countcodered</font></td><td
align=\"left\">$ffs<img src=\"/ac022/ac1.gif\" height=\"10\"
width=\"$percentcodered\"><img src=\"/ac022/ac2.gif\" height=\"10\"
if ($percentnimda > 0) {print "<tr><td align=\"left\">$ffs
Nimda</font></td><td align=\"right\">$ffs$countnimda</font></td><td
align=\"left\">$ffs<img src=\"/ac022/ac1.gif\" height=\"10\"
width=\"$percentnimda\"><img src=\"/ac022/ac2.gif\" height=\"10\"
if ($percentwebdav > 0) {print "<tr><td align=\"left\">$ffs
align=\"right\">$ffs$countwebdav</font></td><td align=\"left\">$ffs<img
src=\"/ac022/ac1.gif\" height=\"10\" width=\"$percentwebdav\"><img
src=\"/ac022/ac2.gif\" height=\"10\"

print "</table></center></font></body><address><font face=\"Georgia\"
print "These are attacks that are intended for Microsoft's IIS server. ";
print "As you can see, I run an Apache server, and thus am not susceptible
to these particular attacks.";
print "</font></address></html>";

-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of Suscripcions tsolucio
Sent: Wednesday, May 18, 2005 7:31 AM
To: General DShield Discussion List
Subject: [Dshield] apache log analyzer

I want to make statistics about the attacks that our apache server suffers
every day, and of course know the attack and the source. There is a program
that analyze the logs and make a report based only in the attacks? I don't
mind about the visits,etc... Thanks

-------------- Sponsor Message ------------------------------------
Join us at SANSFIRE 2005 in Atlanta!
The Internet Storm Center Conference.
Details: http://www.sans.org/sansfire2005

send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see:

More information about the list mailing list