Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
A windows executable file cannot run on a linux file system. Therefore, the uploader doesn't even bother to try to upload the file. I hope I am making sense to you. The windows executable file is worthless on any linux platform. I will give you my email address, and you may contact me if you need more help.
Bruce Baker email: brucebrookebaker@yahoo.com
A windows executable file cannot run on a linux file system. (..) The windows executable file is worthless on any linux platform.
I would like to remind you that while Linux does not run PE binaries a Linux system can be abused to serve up PE malware so saying it is worthless is only part of the story.
Quote:
Originally Posted by Bruce Baker
Therefore, the uploader doesn't even bother to try to upload the file.
Strictly speaking, unless you have access to this members httpd logs, you have no grounds on which you can base this, which makes it an assumption. Please be careful and factual.
Quote:
Originally Posted by Bruce Baker
I will give you my email address, and you may contact me if you need more help.
You're relatively new here so I caution you to please not do that. Whatever is posted here should be handled here (with the exception of those members I trust to perform incident handling the way I like to see it done).
To UnSpawn: I was careful and factual, because the output of the upload showed 0.0 executable files, which are either no luck trying or didn't even try (moot point!). Don't ride so high and mighty on your silver steed. Some of the rest of us can make educated surmises, too.
Now as to Newbie's question: It would depend entirely on whether or not you are searching for malware in your uploads. Except that there is no file to inspect; so you're back at the original: ignore it! Okay?
Dear Unspawn,
I ran like this logwatch --detail High --service All --range 'between -75 days and today' --archives --numeric > /usr/local/300814logwatch_75 but now I add this logwatch --detail High --service All --range 'between -75 days and today' --archives --numeric --debug > /usr/local/300814logwatch_75 What option should I put for the debug? Could it be referring to the python .exe like what we discover previously?
If that succeeds in showing something along this line/result: Success, the total number of match is <number>
then you should be good to go.
If you see "Sorry, no match" then 2 things to check,
1.) your access.log file has been rotated or there are no hits.
2.) your /etc/fail2ban/filter.d/honeypot.conf file is poorly configured.
It's python and spacing matters! (I usually line up everything to the right of the the "=" sign using spaces, not tabs. eg:
Remember also that what a Unix/Linux system says is "a Windows executable file" is ... an educated guess, based on observed data characteristics.
Really, the most important thing to glean from log displays such as this one is: "does this 'ring true?'" "Is this what I would expect to see from this system, if it were being used by authorized users for legitimate business purposes?" If not, then the log has just done its job of being the canary in the coal-mine. It's your job to figure out what the canary meant.
The Logwatch report does give some information, like show the amount of standard probing that's been done, but unfortunately no specifics. If you want to get into this you'll have to search your logs.
Dear Unspawn,
Which logs should I search and any specific key word or element to look into as particular log. I would like to do if there is anything messy.
any specific key word or element to look into as particular log.
*This asserts logs reside in /var/log/httpd, else substitute path.
Code:
# If you have many large log files check in which logs the term appears (once is enough) and only search those below:
zgrep -m1 -c '.html' /var/log/httpd/access*.[0-9]*.gz|awk -F':' '{if($2 !~ 0) print $1}'
# Go for a simple wide search like
zgrep -he "(POST|GET)..*\.exe.HTTP\/" /var/log/httpd/access*.[0-9]*.gz
Share results if you want can't make heads nor tails out of it.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.