.    
  


,  ,    .       .   ().          :  , , , ,  ,       .         ,      :)







   



   



ISBN978-5-0051-1068-8

     Ridero







  ,    .       .          ,  , , , ,        .      ,     ))

    :

- ;

- ;

- ;

- .

    :

  ,    ( , , ,    );

       (,   );

,   ;

 , ,   ;

   , ,  .

     ,        . ,   ,     ,   ,     ,  ,    . ,   , ,  .           ,    .




1   -





1.1  web server logfile?


   URL- ,      . :

https://your_site_address.com/example.html

    ,  https  , your_site_address.com  ,  example.html  .

   IP-    .  HTTP- GET  -        ,   HTML  ,       .     log file -.

 ,   :    ,     ,   -.      . Ƞ     log-.

,   ,      ,    ,  , , Googlebot. Ѡ   IP   .

 -    ,  .       .




1.2  -


        . ,   Apache     Nginx.    ,     :

 IP- ;

  ;

 ;

  GET / POST;

  URL;

   HTTP;

 .

 ,    :

111.11.111.111 - [12/ Oct / 2018: 01: 02: 03-0100]  GET / resources / whitepapers / retail-whitepaper / HTTP / 1.1 200 - Opera / 1.0(; Googlebot / 2.1; +http://www.google.com/bot.html)

 ,    , :

  ;

  /  IP-;

  ;

  .



 - WordPress

       WordPress,    .         wp-config.php.   ,    .

  : Thats all, stop editing! Happy blogging.      :

define (WP_DEBUG, true);

    ,     .

    log-.         :

define (WP_DEBUG_LOG, true);

  log-  WordPress,   FTP   .       wp-content,     debug.




1.3  


 ,       ,  ,         .

  - . -      Excel.        ,  䠖 ,   .

            .

 -     .    ,   ,       . ,    ,   蠖   1.      .



Screaming Frog Log File Analyzer

       Screaming Frog Log File Analyzer.

    ,      .      .

   ,   -     URL-,   -.    .

       ,   , ,    .

    .

GoAccess     .                 .

Splunk     500  .    , , , ,   .

Logmatic.io   ,       .    ,   .    .

Logstash         .      ,   .

   web-        ,      .  ,   ,      ,  web-      ,    web-.  Πweb-     ,  .  ,          ,    web-, ,      ,    ,      ,    . Web-  ,      web-      :

   Πweb-      ;

       ,  web-,       .

         ,     .            DoS-  web-.

 ,    ,  :

 Π  .

 ,    :     ,   ; ,    ,    ;   ,   ,   .

     .

  Π  .




1.4   Πweb-


       ,  web-     ,          .  ,       ,   Πweb-.            .      ,  .       root (Unix)  system/administrator (Windows NT/2000/XP)   - 80/ 443(    S- ),  ,       .

        ,   web-.         ,     ,     ,     .         :

  web-            (..   root,    );

   web-  web-    , ;

  web-     ,     web-;

  ,    web-,    web-;

  web-     web-, -    web-.    root/system/administrator   - web-;

  ,   web-, , ,      web-,        ;

    ,   web-,  ,    .

  ,   web-      ,    web-.       Π    .  ,          ,       .

     DoS-   web-    ,    .      :

   web        web-;

    (uploads) web-,     ,     ;

    (uploads) web-,       web- ,  ,    .     web-        .    web-    ,   ,  ..;

 ,  -   ,       .

     ,      ,     .      ,    RAM        ,     .  ,  ,     .

              DoS-.   DoS-  ,        ,        .      (,     )   ,       ,   ,       .     DoS-, .

     ( ,   ,  ,    -  )   ,         (  SYN flood).         ,    . ,       web-,   firewall,  SYN flood .   firewall  web- SYN flood ,   ,    web-.




1.5    web-


  , aliases  shortcuts    web   ,  -      .     Πweb-   aliases.   , -   web-     ,     web.

      web    :

         web-             web-,  ,    ;

         Πweb-   ,     web (, CGI, ASP, PHP);

   ,       .         ,     ;

     ;

     web. ,      web-      ().

  Πweb-    ,   web-      web-.

, Πweb- Apache   Limit,   web- ,    (  New, Delete, Connect, Head Get)    web-.  Require Apache  web-       .

        .    ,  ,       ,     ,   ,    . Web-          ,     .

     web-   .  ,  URL,   ,        . Web-     ,        .        ,  ,   web-.     ,          web- .     ,   ,   . Web-     ,  - web-.

    FTP      SSH  (-    ).  -     (  ) SSH    . ,      FTP,      .  ,   ,     SSH   .

-       Unix,      ,          SSH,    ,   , ,     .

        SSH,     -   ,         Putty ( Windows) /  (Mac OS X)  ,   SSH: , ,   (      cPanel, ISPManager     ).

,      ?       , ,   . ,    () -,       ,   .

,      (  ,   -,    ..). ,             .   ,   -  -   find/grep,  ,   -  ,   ( )    .   ?  .

   () - ,        .  -  ,       ,    ,     ().   ,      ,       .  shared-     logs,         public_html (www). ,  ,       .

 SSH    -,       57.     ,     access_log  ,  access_log.1.gz, access_log.2.gz,    .

    ,     POST:

grep POST / access_log



cat access_log | grep POST/

         :

grep POST / access_log> post_today.txt

    ,  gzip?     zcat ( cat,    ).

zcat access_log.1.gz | grep POST /> post_today.txt

         .       find,     ,       (, zcat).

       ?

,      . php   .

grep php HTTP.* 404 access_log

find. -name *.gz -exec zcat {} \; |grep php HTTP.*404

( -exec   xarg   zcat.)

       php (   ).

find. -name *.gz -exec zcat {} \; |grep php HTTP.*403

   ,    php 403.

        ,      -50 .    :    access_log,   access_log.*.gz,   ,     .

find. -name *.gz -exec zcat {} \; |grep php HTTP.* 200> php.txt

grep php HTTP.* 200 access_log>> php.txt

cut -d " -f2 php. txt | cut -d ' ' -f2 | cut -d? -f1 | sort | uniq -c | sort -n | tail-50

  Wordpress   :

(  Wordpress    ,       CMS.        - ,   php    (CMS),   php .)

1 /wp-admin/edit.php

1 /wp-admin/index.php

1 /wp-admin/update-core.php

1 /wp-admin/upload.php

2 /wp-admin/users.php

3 /wp-admin/plugins.php

4 /wp-includes/x3dhbbjdu.php

4 /wp-admin/profile.php

4 /wp-admin/widgets.php

38 /wp-admin/async-upload.php

58 /wp-admin/post-new.php

1635 /wp-admin/admin-ajax.php

6732 /xmlrpc.php

14652 /wp-login.php

 ,   wp-login.php   14000,  .     (  )       .

    xmlrpc.php     . ,     (DDOS)  Wordpress    XML RPC Pingback Vulnerability.

       /wp-includes/x3dhbbjdu.php,      Wordpress  .      .

          ,          .

  ,    . ,       .     . php  404Not Found:

find. -name *.gz -exec zcat {} \; |grep php HTTP.* 404> php_404.txt

grep php HTTP.* 404 access_log>> php_404.txt

cut -d " -f2 php_404.txt | cut -d ' ' -f2 | cut -d? -f1 | sort | uniq -c | sort -n | tail-50

     :

1 /info.php

1 /license.php

1 /media/market.php

1 /setup.php

1 /shell.php

1 /wp-admin/license.php

1 /wp-content/218.php

1 /wp-content/lib.php

1 /wp-content/plugins/dzs-videogallery/ajax.php

1 /wp-content/plugins/formcraft/file-upload/server/php/upload.php

1 /wp-content/plugins/inboundio-marketing/admin/partials/csv_uploader.php

1 /wp-content/plugins/reflex-gallery/admin/scripts/FileUploader/php.php

1 /wp-content/plugins/revslider/temp/update_extract/revslider/configs.php

1/wp-content/plugins/ultimate-product-catalogue/product-sheets/wp-links-ompt.php

1/wp-content/plugins/wp-symposium/server/php/fjlCFrorWUFEWB.php

1 /wp-content/plugins/wpshop/includes/ajax.php

1 /wp-content/setup.php

1 /wp-content/src.php

1 /wp-content/themes/NativeChurch/download/download.php

1 /wp-content/topnews/license.php

1 /wp-content/uploads/license.php

1 /wp-content/uploads/shwso.php

1 /wp-content/uploads/wp-admin-cache.php

1 /wp-content/uploads/wp-cache.php

1 /wp-content/uploads/wp-cmd.php

1 /wp-content/uploads/wp_config.php

1 /wp-content/wp-admin.php

1 /wp-update.php

1 /wso2.php

2 /wp-content/plugins/dzs-zoomsounds/ajax.php

2 /wp-content/plugins/hello.php

2 /wp-content/plugins/simple-ads-manager/sam-ajax-admin.php

3 /wp-content/plugins/dzs-zoomsounds/admin/upload.php

4 /2010/wp-login.php

4 /2011/wp-login.php

4 /2012/wp-login.php

4 /wp-content/plugins/wp-symposium/server/php/index.php

  ,   . -          Revolution Slider /wp-content/plugins/revslider/temp/update_extract/revslider/configs.php WSO Shell       . ʠ, .

C   find / cat / zcat / grep    IP ,    ,   .    .

     POST ,        .

find. -name *.gz -exec zcat {} \; |grep POST /.* 200> post.txt

grep POST /.* 200 access_log>> post.txt

cut -d " -f2 post. txt | cut -d ' ' -f2 | cut -d? -f1 | sort | uniq -c | sort -n | tail-50

    :

2/contacts/

3 /wp-includes/x3dhbbjdu.php

7/

8 /wp-admin/admin.php

38 /wp-admin/async-upload.php

394 /wp-cron.php

1626 /wp-admin/admin-ajax.php

1680 /wp-login.php/

6731 /xmlrpc.php

9042 /wp-login.php

     wp-login.php  xmlrpc.php,  3 POST   /wp-includes/x3dhbbjdu.php,    Wordpress,       .

     403Forbidden ,  POST:

find. -name *.gz -exec zcat {} \; |grep POST /.* 403> post_403.txt

grep POST /.* 403 access_log>> post_403.txt

cut -d " -f2 post_403.txt | cut -d ' ' -f2 | cut -d? -f1 | sort | uniq -c | sort -n | tail-50

     .  ,       XML RPC Pingback:

8 /xmlrpc.php

,   TOP-50   :

cut -d " -f2 access_log | cut -d ' ' -f2 | cut -d? -f1 | sort | uniq -c | sort -n | tail-50

:

6 /wp-admin/images/wordpress-logo.svg

6 /wp-admin/plugins.php

7 /wp-admin/post-new.php

8 /wp-admin/async-upload.php

9/sitemap.xml

10 /wp-admin/users.php

13/feed/

13/wp-admin/

20 /wp-admin/post.php

22 /wp-admin/load-styles.php

38/favicon.ico

52 /wp-admin/load-scripts.php

58 /wp-cron.php

71 /wp-admin/admin.php

330 /wp-admin/admin-ajax.php

1198/

2447 /wp-login.php

   /wp-login.php access_log ,       (-   ),     wp-admin IP    ,   Wordpress   ,      wp-login.php.

   -           -,      (IP , User Agent, Referer, /).       SSH     .




2  


  ,    FTK Imager.

 

Kaspersky Security     (,     )   Windows   Kaspersky Security.

Π  Windows

   Windows    Kaspersky Security,    Kaspersky Security        .

,   Kaspersky Security,    Windows  KSCM8 ( Kaspersky Security).  ,   ,    .          .

Π  Kaspersky Security

  Kaspersky Security     TXT,     <  > \logs.        .

         .

Kaspersky Security     :

       .

     100,      .

       14     ,   .       .

          .

       (<  > \data)    .        .           .

SpIDer Guard G3      Windows   SpIDer Guard   32  Windows.

1. spiderg3.sys -, -    32- 64-;

2.      ;

3.    ( ,  ,  )     ;

4.     .

 SpIDer GuardG3

  SpIDer Guard G3  , 

HKEY_LOCAL_MACHINE\SOFTWARE\Doctor Web\Scanning Engine\SpIDer Guard\Settings

    .

 

Core/LicensePath= []

       .     .

Core/LicenseFile= []

    SpIDerG3,   .   ,  Core/LicensePath.




  .


   .

   ,     (https://www.litres.ru/pages/biblio_book/?art=56557213)  .

      Visa, MasterCard, Maestro,    ,   ,     ,  PayPal, WebMoney, ., QIWI ,       .


