How to analyze threats in Apache logs

Analyzing Apache logs is crucial for detecting potential security threats targeting a web server. Each log entry records IP addresses, request methods, and response codes, offering valuable clues for spotting malicious activities such as SQL injection, XSS, and brute force attacks.

Monitoring Apache access logs helps uncover patterns indicative of suspicious behavior or unauthorized access attempts. Administrators can spot signs of hacking attempts, unusual traffic, or repeated probing for weaknesses. This vigilance is essential for maintaining a secure web infrastructure.

Due to their volume, Apache logs require specialized tools and a systematic approach. Common utilities such as grep, AWK, and sort aid in filtering important data, while deeper analysis can pinpoint vulnerabilities and ongoing threats. Proactive log reviews significantly reduce the risk of successful attacks.

Steps to perform threat analysis on Apache log:

Access the Apache log files.
```
$ sudo cat /var/log/apache2/access.log
```
The default location of the Apache access logs is typically in /var/log/apache2/access.log for Ubuntu and Debian-based systems or /var/log/httpd/access_log for Red Hat based systems.

For systems with high traffic, logs can rotate quickly. Ensure you're analyzing the right log file by checking rotated logs like access.log.1 or archived logs.
Analyze request methods.
```
$ awk '{print $6}' /var/log/apache2/access.log | sort | uniq -c | sort -nr
```
A POST to a page that should not accept POST data could be malicious.
Search for unusual request methods.
```
$ sudo grep -E "PUT|DELETE|TRACE" /var/log/apache2/access.log
```
While GET and POST are common methods, other methods like PUT, DELETE, or TRACE might be suspicious.
Spot high-frequency requests from a single IP.
```
$ sudo awk '{print $1}' /var/log/apache2/access.log | sort | uniq -c | sort -nr | head
```
Rapid multiple requests from a single IP might indicate a DoS attack, scanning or web scraping.
Examine for common exploit URLs.
```
$ grep -Ei "wp-login|xmlrpc|admin|setup|config" /var/log/apache2/access.log
```
Cyber attackers often attempt to access known vulnerabilities.

These endpoints might be legitimate, especially if you run a WordPress website. However, too many requests might indicate a brute-force attack.
Check for non-standard user-agents.
```
$ awk -F" '{print $6}' /var/log/apache2/access.log | sort | uniq -c | sort -nr | less
```
Attack scripts may not always send a standard browser's user-agent string.
Identify suspicious URL parameters.
```
$ grep -Ei "base64_|eval|<script>|%3cscript%3e" /var/log/apache2/access.log
```
Attackers might attempt to exploit vulnerabilities by sending malicious data in URL parameters.

Spotting these patterns might indicate attempts to perform XSS attacks or code injection.
Inspect for SQL injection attempts.
```
$ grep -Ei "union|select|drop|’|1=1" /var/log/apache2/access.log
```
These may look like URLs containing SQL-related terms.

If you see results from this command, it's critical to ensure your web applications are not vulnerable to SQL injection.
Look for unexpected HTTP response codes.
```
$ awk '($9 ~ /500/)' /var/log/apache2/access.log | sort | uniq -c | sort -nr | head -10
```
Large numbers of 500 responses could indicate successful exploitation attempts or software misconfigurations.
Identify potential command injection.
```
$ grep -Ei "&|;|cmd=|exec" /var/log/apache2/access.log
```
Searching for common command terminologies can indicate malicious activities.

Always sanitize any inputs to prevent command injection.
Filter logs based on timestamps.
```
$ awk '$4 ~ /01/Sep/2023/' /var/log/apache2/access.log | less
```
Focus your analysis on a specific timeframe if you suspect an incident took place at a particular period.
Spot suspicious file upload attempts.
```
$ grep -Ei ".php|.exe|.sh|.py" /var/log/apache2/access.log
```
Malicious users might try to upload scripts or executables.

Ensure your server configuration only allows necessary file types for uploads.
Examine logs for potential CSRF attacks.
```
$ awk -F" '{print $4}' /var/log/apache2/access.log | sort | uniq -c | sort -nr | less
```
Large numbers of unexpected referrers could be an indication.
Search for repeated 404 errors.
```
$ awk '($9 ~ /404/)' /var/log/apache2/access.log | awk '{print $7}' | sort | uniq -c | sort -nr | head -20
```
These might indicate someone trying to find vulnerabilities by guessing URL structures.

This command will show the top 20 most-requested missing URLs.
Review requests to sensitive URIs.
```
$ grep -Ei "/admin|/config|/setup" /var/log/apache2/access.log
```
Detect unauthorized attempts to access admin pages or config files.
Check for large requests.
```
$ awk '$10 > 5000' /var/log/apache2/access.log | less
```
Large requests can be an attempt to buffer overflow attacks.
Spot requests for unexpected file types.
```
$ grep -Ei ".exe|.sh|.tar|.zip" /var/log/apache2/access.log
```
Attackers might try to access or upload non-standard file types.

Filter logs for requests from a single IP.

$ grep '1.2.3.4' /var/log/apache2/access.log | less

Analyze referrer field.

$ awk -F" '{print $4}' /var/log/apache2/access.log | sort | uniq -c | sort -nr | head -10

Check for requests with no referrers or unexpected referrers.

Examine time patterns.
```
$ cut -d[ -f2 /var/log/apache2/access.log | cut -d] -f1 | awk -F: '{print $2":"$3}' | sort | uniq -c
```
Look for request patterns during off-hours, which might indicate non-human traffic or attacks.
Search for XSS attack patterns.
```
$ sudo grep "<script" /var/log/apache2/access.log
```
XSS attacks involve injecting malicious scripts into web pages viewed by other users. Spotting these patterns can help in early detection.
Examine common exploit URLs.
```
$ grep -Ei "wp-login|xmlrpc|admin|setup|config" /var/log/apache2/access.log
```
While these endpoints might be legitimate, especially for WordPress sites, excessive requests can indicate brute-force attacks.
Spot potential directory traversal attacks.
```
$ grep -E "../../" /var/log/apache2/access.log
```
These attacks involve navigating the file structure of a web server.

Directory traversal attacks attempt to access files outside of the intended directory.
Identify potential command injection attempts.
```
$ grep -Ei "&|;|cmd=|exec" /var/log/apache2/access.log
```
Command injection attacks can be devastating. Always sanitize inputs to prevent such threats.
Filter logs based on timestamps.
```
$ awk '$4 ~ /01/Sep/2023/' /var/log/apache2/access.log | less
```
If you suspect an incident occurred at a specific time, filtering logs by timestamps can help focus your analysis.
Spot suspicious file upload attempts.
```
$ grep -Ei ".php|.exe|.sh|.py" /var/log/apache2/access.log
```
Ensure your server configuration only permits necessary file types for uploads to prevent malicious uploads.

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.

Discuss the article:

Comment anonymously. Login not required.