Apache logs Timeline Analysis

Posted on Updated on

I love Log2timeline and have used it ever since the SANS forensic blog Super Timeline talked about it. While this tool currently focuses on mostly windows forensics, we can use its technique and the methodology Rob Lee talks about  combining multiple body files for analysis.

Case Background

Lets say you have a Linux server running Apache and it gets compromised using  a vulnerability that allows an attacker to post content to the server.  The attacker then places  a PHP shell on the system. Most of these shells allow attackers to upload and edit files, run commands on the local system, and interact with the database.  This is a fairly common scenario and  I wanted to see if I could determine what commands the attacker ran by examining the Apache access logs and matching it up with files that were accessed on the system at the same time.

Methodology

I created a file system MAC times using fls.

# fls -r -m / /dev/sda1

I grepped through the access.log and  pulled out the lines that contained POST to the PHP shell.

#grep POST access.log >/tmp/post-access.log

I wanted to combine the Apache  logs with file system times. To do this I needed to convert the Apache logs to the sluthkit body format. I wrote a quick bash script to get the file in the correct format. I have rewritten this into a Log2timeline plugin and submitted it to the project (Currently its in the Dev tree and testing is being done on it) .

Then I used my script to convert it into the correct format.

#log2timeline -f apache /var/log/apache/access.log > /tmp/post-access.log

Then combine the two body files.

#cat /tmp/post-access.log /tmp/mactimes.csv >combined-body.txt

Then run mactime to convert the file into a CSV file.

#mactime -d -z EST5EDT /tmp/combined-body.txt  >output.csv

Output

Below is an example of the  output I ended up with.    In this instance the attacker ran the /usr/bin/locate command from the shell and accessed /etc/passwd.  If this system is dedicated web server with out many users accounts, you should be able to get a good mapping of what went on.

Mon May 01 2010 08:10:07,0,macb,0,0,0,0,[apache log]192.168.200.206  "POST /web/files/shell.php HTTP/1.1" 200 13600

Mon May 01 2010 08:10:07,0,.a..,r/rr-xr-xr-x,0,0,129187,/usr/bin/locate
Mon May 01 2010 08:10:12,0,macb,0,0,0,0,[apache log]192.168.200.206  "POST /web/files/shell.php HTTP/1.1" 200 13600

Mon May 01 2010 08:10:12,0,.a..,r/rr-xr-xr-x,0,0,129187,/etc/passwd
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s