That happened: episode 32

This week in “That happened: notes from #splunk”, a blog about the goings-on in the Splunk IRC channel: Splunk can tell you if you have the Darkleech, the return of Answers from the past, ruining you for all other vendors, short but wise (like Yoda), badgers.

Splunking your apache logs?

Team regex helps you protect against the Darkleech malware:

<^Brian^> http://arstechnica.com/security/2013/04/exclusive-ongoing-malware-attack-targeting-apache-hijacks-20000-sites/
<@Splunky> ^Brian^’s URL: “Exclusive: Ongoing malware attack targeting Apache hijacks 20,000 sites | Ars Technica”
<^Brian^> fyi
<^Brian^> \/[a-f0-9]{32}\/q.php <- for those of you splunking your apache logs..regex to pick up the hijack
<jtrucks> ^Brian^: awesome, thanks.
<jtrucks> ^Brian^: so like this? rex _raw=”\/[a-f0-9]{32}\/q.php”
<jtrucks> my brain will not engage today.
<^Brian^> ugh, regex i think
<^Brian^> not rex
<^Brian^> !spec regex
<@Splunky> http://www.splunk.com/base/Documentation/latest/SearchReference/Regex?r=splunky
<jtrucks> thx
<mlanghor> uri=/*/q.php should work, unless you have a legitimate q.php somewhere?
<cerby> thanks peeps. *checks his webserver logs*

Update to the above, um, quotey thing: thanks to a heads-up from our own Web Dev manager Ashley for pointing out that in fact, to catch this exploit, you would have to check your outbound IDS server traffic logs, not your Apache logs. He also suggests reading this excellent blog post on the features of the exploit.  ^Brian^ could not be reached for comment. I’m kidding–he says “Yes, Ashley is right,” and adds: “Though, you should probably also be checking your Apache configurations for unknown modules.”

Answers from the past II

Apparently Drainy isn’t the only one this happens to:

<alacer> do you ever get those days when you have a splunk question, google it, and find the answer in a question that you answered?

Ruining you for all other vendors

We specialize in the ‘bewildering’ side of things in particular:

<ArturHawk> Y’all are awesome.  This channel is bewilderingly helpful and interesting.  Never had that from a vendor.
<mlanghor> #splunk spoils me when dealing with other vendors
<cerby> mlanghor: indeed!

Two lines of wisdom

A twofer:

<Nerf> I <3 scripted inputs
<Nerf> It’s my current “hammer looking for a nail”

<jspears> word of the day!  indexation :)
<jspears> indexation, n – that feeling you get after a long day of handcrafting props and transforms

We don’t need no stinking badgers

Alacer knows enough python to be afraid:

* zxcvbnm is now known as zxcvbnm-b
* zxcvbnm-b is now known as z-badger
<jrodman> z-badger: badger!
<z-badger> Badger badger badger badger.
<jrodman> z-badger: no i have no idea but i’m born to it
<duckfez> mushroom
* z-badger snaaaaaaake
<jrodman> z-badger: usually my style is sort of lazy though
<alacer> AHHHH

<Dutchy> python checkers here?
<alacer> AAHHHH!!! IT’S A SNAKE!!!!!!
<Dutchy> haha
<alacer> but yeah, I know some python

rachel perkins

Posted by