Pages: [1]

Author Topic: [Python] Apache server log scanner for malicious activity  (Read 789 times)

0 Members and 2 Guests are viewing this topic.

Offline sh4d0w_w4tch

  • Peasant
  • *
  • Posts: 73
  • Cookies: -1
  • Please do not feed the skids.
    • View Profile
    • 6c.nz
[Python] Apache server log scanner for malicious activity
« on: May 14, 2015, 02:26:32 am »
I made a simple script that scans an Apache log for strings that match possible malicious activity.  When designing the script in set the comparisons to be case insensitive so that it can't be bypassed by an attacker using random case.

https://gist.github.com/sh4d0w-w4tch/7b88ad6f55d5a3513b27

The script logs all suspected entries and records line numbers from previous times it has been run.  IP addresses of attackers are listed so they can be blocked if the scan terms are reliable.  Blocking is not built into the script because there are many ways of blocking IP addresses.
« Last Edit: May 14, 2015, 02:30:40 am by sh4d0w_w4tch »
Report to moderator   Logged
DeepCopy | Can you name a VPN provider that's like "hey use our services to hack government sites and spam the internet. Please Abuse our services"

+Polyphony | paging master hackers of evilzone: i am here to learn about your black hatted tools to hack different viruses like facebook, sql, php, and other ring zero exploits

Offline TitanFury

  • /dev/null
  • *
  • Posts: 10
  • Cookies: 0
    • View Profile
Re: [Python] Apache server log scanner for malicious activity
« Reply #1 on: May 14, 2015, 03:30:40 am »
Wow thanks man!


I like this script a lot.
Report to moderator   Logged

Offline kenjoe41

  • Symphorophiliac Programmer
  • Administrator
  • Baron
  • *
  • Posts: 990
  • Cookies: 224
    • View Profile
Re: [Python] Apache server log scanner for malicious activity
« Reply #2 on: May 14, 2015, 10:49:27 am »
Line 7, are you assigning the string to that variable or did you forget somehow to insert a prompt before the string?

I also think we should supply the log path from the commandline than just prompting the users. I think it would be better for the audience hat will use this script.
You are opening files everywhere, even though with different flags but it looks messy to me. I knoow quick dirty scripts don't have to be perfect but the risks of doing something wrong with my logs and i lose them accidentally.

Is that NOP a place holder in this instance or is it there for some other reason?
Report to moderator   Logged
If you can't explain it to a 6 year old, you don't understand it yourself.
http://upload.alpha.evilzone.org/index.php?page=img&img=GwkGGneGR7Pl222zVGmNTjerkhkYNGtBuiYXkpyNv4ScOAWQu0-Y8[<NgGw/hsq]>EvbQrOrousk[/img]

Offline sh4d0w_w4tch

  • Peasant
  • *
  • Posts: 73
  • Cookies: -1
  • Please do not feed the skids.
    • View Profile
    • 6c.nz
Re: [Python] Apache server log scanner for malicious activity
« Reply #3 on: May 14, 2015, 04:03:05 pm »
Quote from: kenjoe41 on May 14, 2015, 10:49:27 am
Line 7, are you assigning the string to that variable or did you forget somehow to insert a prompt before the string?

I also think we should supply the log path from the commandline than just prompting the users. I think it would be better for the audience hat will use this script.
You are opening files everywhere, even though with different flags but it looks messy to me. I knoow quick dirty scripts don't have to be perfect but the risks of doing something wrong with my logs and i lose them accidentally.

Is that NOP a place holder in this instance or is it there for some other reason?

Line 7 was going to be consistent, but I can change it to sys.argv[1].  I will improve the file opening.  I should have used pass instead of the NOP hex but I couldn't remember it.
Report to moderator   Logged
DeepCopy | Can you name a VPN provider that's like "hey use our services to hack government sites and spam the internet. Please Abuse our services"

+Polyphony | paging master hackers of evilzone: i am here to learn about your black hatted tools to hack different viruses like facebook, sql, php, and other ring zero exploits

Pages: [1]