Windows executable files upload
I ran my logwatch for a slight longer days from today to 75 days ago and below is what I see
Code:
915.48 MB transferred in 65987 responses (1xx 0, 2xx 45543, 3xx 11883, 4xx 8531, 5xx 30) I notice there is these 4 Documents (0.00 MB), and 2 Windows executable files (0.00 MB should I ignore or take some action on this? Also is there any remedy for this Attempts to use known hacks by 9 hosts were logged 21 time(s) from: Code:
203.97.21.3: 6 Time(s) |
Can't upload windows executables
A windows executable file cannot run on a linux file system. Therefore, the uploader doesn't even bother to try to upload the file. I hope I am making sense to you. The windows executable file is worthless on any linux platform. I will give you my email address, and you may contact me if you need more help.
Bruce Baker email: brucebrookebaker@yahoo.com |
Quote:
|
Dear Bruce Baker,
The why is the logwatch reporting on windows executable files? Is there anything for me to dig further on this? ---------- Post added 08-31-14 at 05:26 PM ---------- Dear Habitual, Yes I have fail2ban enabled do I need to tweak it further? |
Quote:
Quote:
Quote:
|
Quote:
|
To UnSpawn: I was careful and factual, because the output of the upload showed 0.0 executable files, which are either no luck trying or didn't even try (moot point!). Don't ride so high and mighty on your silver steed. Some of the rest of us can make educated surmises, too.
Now as to Newbie's question: It would depend entirely on whether or not you are searching for malware in your uploads. Except that there is no file to inspect; so you're back at the original: ignore it! Okay? |
Dear Unspawn,
I ran like this logwatch --detail High --service All --range 'between -75 days and today' --archives --numeric > /usr/local/300814logwatch_75 but now I add this logwatch --detail High --service All --range 'between -75 days and today' --archives --numeric --debug > /usr/local/300814logwatch_75 What option should I put for the debug? Could it be referring to the python .exe like what we discover previously? |
Quote:
Code:
[honeypot] Code:
[Definition] Code:
# Fail2Ban configuration file Code:
fail2ban-regex /path/to/your/access.log /etc/fail2ban/filter.d/honeypot.conf Success, the total number of match is <number> then you should be good to go. If you see "Sorry, no match" then 2 things to check, 1.) your access.log file has been rotated or there are no hits. 2.) your /etc/fail2ban/filter.d/honeypot.conf file is poorly configured. It's python and spacing matters! (I usually line up everything to the right of the the "=" sign using spaces, not tabs. eg: Code:
failregex = ^<HOST> .*"GET \/(?:%(badadmin)s).*?" Code:
fail2ban-regex /path/to/your/access.log /etc/fail2ban/filter.d/honeypot.conf Code:
fail2ban-client reload Code:
sudo iptables-save > /root/safe.rules Code:
fail2ban-client reload I hope that's helpful. See my 2 blog posts on the fail2ban subject. |
Quote:
Quote:
|
Dear Unspawn,
I have sent the file accordingly. |
Remember also that what a Unix/Linux system says is "a Windows executable file" is ... an educated guess, based on observed data characteristics.
Really, the most important thing to glean from log displays such as this one is: "does this 'ring true?'" "Is this what I would expect to see from this system, if it were being used by authorized users for legitimate business purposes?" If not, then the log has just done its job of being the canary in the coal-mine. It's your job to figure out what the canary meant. |
Quote:
|
Dear Unspawn,
Which logs should I search and any specific key word or element to look into as particular log. I would like to do if there is anything messy. |
Quote:
Quote:
Code:
# If you have many large log files check in which logs the term appears (once is enough) and only search those below: |
All times are GMT -5. The time now is 01:48 AM. |