0

CentOS 6 Apache Server version: Apache/2.2.15 (Unix)

Thinking about how to automatically, once a day, grep all the logs in /var/log/httpd for hacker, phishing, etc activity and e-mail it to myself so I can evaluate what I might need to do.

But what are the patterns I can look for?

IE, we dont run Wordpress and we see a lot of attempts to access Wordpress related content, obviously for an exploit. Same with PHPMyAdmin.

I could do something like repeatedly, matching common patterns we see.

# grep -r -i wp-content /var/log/httpd/

# grep -r -i php-my-admin /var/log/httpd/

How do I e-mail myself this the results of each grep command or better yet all Grep results in a single e-mail?

HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
Jason
  • 11
  • 2

1 Answers1

4

You can mail the output of multiple commands like this:

{ grep -r -i wp-content /var/log/httpd/
  grep -r -i php-my-admin /var/log/httpd/
} | mailx -s SUBJECT admin@example.org

For what to grep is not so easy though. Rather than grep for particular attack patterns, I'd grep -v all known good lines and mail what's left.

Ansgar Wiechers
  • 4,247
  • 2
  • 18
  • 26
  • Can you show me an example? I am a bit confused about using -v and the man page is confusing as well -v, --invert-match Invert the sense of matching, to select non-matching lines. (-v is specified by POSIX.) – Jason Sep 06 '12 at 03:11
  • `grep -v` shows everything *except* matching lines, i.e. `grep -v FOO` will remove all lines containing FOO from the output. – Ansgar Wiechers Sep 06 '12 at 03:16
  • I got it, so I grep for all things that are normal. Can I `grep -v FOO BAR JASON 6Colors` in one large command? – Jason Sep 06 '12 at 03:23
  • You have to use `grep -v "FOO BAR JASON 6Colors"` if you want to exclude lines that contain the string "FOO BAR JASON 6Colors", or `grep -E -v "FOO|BAR|JASON|6Colors"` if you want to exclude lines that contain any of the words "FOO", "BAR", "JASON" or "6Colors". – Ansgar Wiechers Sep 06 '12 at 11:06