Category Archives: access-log

PHP to parse Apache Log

I'm trying to create a simples PHP Parser to read the access Apache Log on my website and give

Each line goes like this:

42.236.10.80 - - [31/Jan/2017:10:11:31 -0200] "GET / HTTP/1.1" 301 242 "http://www.enginesistemas.com.br/" "Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 QIHU 360SE; 360Spider"

I need the total number of entries, how many of them were errors or success(HTTP return code), what files were visited more often, the most popular referers and their %'s too, and a list of top user agents and their %'s, plus I need to separate any malicious request from the "good" ones.

Something like:

Total entries: 1500
Errors: 500
Success: 1000
The most popular file: /index.php (600 entries)
The most popular referer: google.com (500 entries | 33%)
Top user-agents: Chrome (1000 entries | 66%)
Suspicious entries: 3

The suspicious entries must be sweeped looking for keywords from vulscans like:

nikto; w3af; webscarab; acunetix; skipfish; sqlmap; netsparker; appscan; wikto; wfuzz

I've searched a lot, but I only find parser that organize the logs, nothing with these little statistics.

I'd really appreciate some help here, I'm kinda lost =/ Tks!

exclude URL from Apache Log

I have the following in my httpd.conf file, in order to exclude the url from being logged as it is a status checker:

SetEnvIf Request_URI "^/status_check.php$" dontlog=1
CustomLog "logs/access_log" combined env=!dontlog

However this is not stopping the status_check URL being logged. I have also tried various variants including:

SetEnvIf Request_URI "^/status_check\.php$" dontlog=1
SetEnvIf Request_URI "^/status_check\.php" dontlog=1
SetEnvIf Request_URI "/status_check\.php" dontlog=1
SetEnvIf Request_URI "/status_check.php" dontlog=1
SetEnvIf Request_URI "/^status_check.php" dontlog=1
SetEnvIf Request_URI "/^status_check.php$" dontlog=1

Also with just dontlog at the end without the '=1' part.

However none seem to work. I should explain the site runs on the following physical path: /var/www/vhosts/site_name

Could someone explain please what I am doing wrong? It's driving me mad.

Many Thanks

wp-login.php Flood in Acces Logs

I noticed that in my access logs these records are flooding. I'm not sure is this a brute force attack because the IP address is my server's IP.

How can I figure what's going on?

185.124.86.73 - - [27/Dec/2016:06:39:04 +0300] "POST /wp-login.php HTTP/1.0" 500 - "-" "-"
185.124.86.73 - - [27/Dec/2016:06:39:04 +0300] "POST /wp-login.php HTTP/1.0" 500 - "-" "-"
185.124.86.73 - - [27/Dec/2016:06:39:04 +0300] "POST /wp-login.php HTTP/1.0" 500 - "-" "-"
185.124.86.73 - - [27/Dec/2016:06:39:04 +0300] "POST /wp-login.php HTTP/1.0" 500 - "-" "-"
185.124.86.73 - - [27/Dec/2016:06:39:04 +0300] "POST /wp-login.php HTTP/1.0" 500 - "-" "-"
185.124.86.73 - - [27/Dec/2016:06:39:04 +0300] "POST /wp-login.php HTTP/1.0" 500 - "-" "-"
185.124.86.73 - - [27/Dec/2016:06:39:05 +0300] "POST /wp-login.php HTTP/1.0" 500 - "-" "-"
185.124.86.73 - - [27/Dec/2016:06:39:05 +0300] "POST /wp-login.php HTTP/1.0" 500 - "-" "-"
185.124.86.73 - - [27/Dec/2016:06:39:05 +0300] "POST /wp-login.php HTTP/1.0" 500 - "-" "-"
185.124.86.73 - - [27/Dec/2016:06:39:05 +0300] "POST /wp-login.php HTTP/1.0" 500 - "-" "-"
185.124.86.73 - - [27/Dec/2016:06:39:05 +0300] "POST /wp-login.php HTTP/1.0" 500 - "-" "-"

Strange entry in LAMP server access_log — what does this PHP do?

I am not sure, maybe this question is more appropriate for Server Vault, but I thought the PHP makes it relevant... ?

I see strange entries in my access log of an AWS EC2 instance I set up about a week ago to serve a custom API to an e-commerce site.

There are 5 entries like this:

66.49.205.157 - - [06/Jul/2016:15:29:43 +0000] "POST /cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%22%79%65%73%22+%2D%64+%63%67%69%2E%66%69%78%5F%70%61%74%68%69%6E%66%6F%3D%31+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.1" 404 209 "-" "Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0"  
66.49.205.157 - - [06/Jul/2016:15:29:43 +0000] "POST /cgi-bin/php5?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%22%79%65%73%22+%2D%64+%63%67%69%2E%66%69%78%5F%70%61%74%68%69%6E%66%6F%3D%31+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.1" 404 210 "-" "Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0"  
66.49.205.157 - - [06/Jul/2016:15:29:44 +0000] "POST /cgi-bin/php-cgi?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%22%79%65%73%22+%2D%64+%63%67%69%2E%66%69%78%5F%70%61%74%68%69%6E%66%6F%3D%31+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.1" 404 213 "-" "Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0"  
66.49.205.157 - - [06/Jul/2016:15:29:44 +0000] "POST /cgi-bin/php5-cgi?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%22%79%65%73%22+%2D%64+%63%67%69%2E%66%69%78%5F%70%61%74%68%69%6E%66%6F%3D%31+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.1" 404 214 "-" "Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0"  
66.49.205.157 - - [06/Jul/2016:15:29:44 +0000] "POST /cgi-bin/php-cgi.bin?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%22%79%65%73%22+%2D%64+%63%67%69%2E%66%69%78%5F%70%61%74%68%69%6E%66%6F%3D%31+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.1" 404 217 "-" "Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0"  

The block of HTML encoded entities is:

-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d auto_prepend_file=php://input -d cgi.force_redirect=0 -d cgi.redirect_status_env="yes" -d cgi.fix_pathinfo=1 -d auto_prepend_file=php://input -n

Is this something normal? Or is this some sort of attempt to hack the server? Can PHP even be successfully passed as a query string parameter this way if not set up to receive a query string?

Someone also just tried:

[Wed Jul 06 19:13:08.573437 2016] [:error] [pid 15695] [client 187.245.40.133:59975] script '/var/www/html/command.php' not found or unable to stat

Apache access log meaning

I'm trying to understand my access log. I didn't find any format example like this.

2162004 93.186.15.149   [25/Apr/2016:12:53:40 +0200]    4914163 200 www.example.org "GET /foto/376.JPG HTTP/1.1"

I don't get the first long number before the IP and the second long number before the 200 status. Thanks a lot :)

Apache access log meaning

I'm trying to understand my access log. I didn't find any format example like this.

2162004 93.186.15.149   [25/Apr/2016:12:53:40 +0200]    4914163 200 www.example.org "GET /foto/376.JPG HTTP/1.1"

I don't get the first long number before the IP and the second long number before the 200 status. Thanks a lot :)

Apache access log meaning

I'm trying to understand my access log. I didn't find any format example like this.

2162004 93.186.15.149   [25/Apr/2016:12:53:40 +0200]    4914163 200 www.example.org "GET /foto/376.JPG HTTP/1.1"

I don't get the first long number before the IP and the second long number before the 200 status. Thanks a lot :)

Apache access log meaning

I'm trying to understand my access log. I didn't find any format example like this.

2162004 93.186.15.149   [25/Apr/2016:12:53:40 +0200]    4914163 200 www.example.org "GET /foto/376.JPG HTTP/1.1"

I don't get the first long number before the IP and the second long number before the 200 status. Thanks a lot :)