I fumbled around with that title for a while -- I'm sure it's bad. Let me explain. Say you discover (however you do) a new malicious file on a webserver, or an existing file that has been modified (with some cute obfuscated code).
For these hacks, we all know how to use stat and check the mtime and ctime (when mtime is spoofed) to gather info and use all of our favorite GNU utilities to trace it back through the logs to find the actual vulnerability (hopefully). It feels like a sixth-sense at some point, but it's a waste of time and I think it can be automated.
So I was trying to automate this (with some terrible python code so far) and I thought I'd ask before I spend too much time writing code. Is there something out there that can take a given "hacked" file, and trace it back to the original vulnerability using the access logs (NCSA formatted logs)? I'm just wondering if I'm wasting time re-inventing the wheel if someone smarter than me has already greased the wheels on this?
[link][4 comments]