Re: [IUG] Weblogs
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Thanks for the advice. I will block that ip. Thanks to everyone else
who has responded so far. I appreciate the recommendations.
On 6/9/11 8:38 AM, Dan McMahon wrote:
For our log analysis, we use WebLog Expert (one of the recommended ones from CS Direct). I like it for general web statistics, but it's not that much help with researching any hacking directly, other than showing abnormally large numbers of page hits. (With the marcdisplay, they've been using Windows NT, which stands out too.)
For most examinations of really odd behavior in the logs, I use a good text editor, my own favorite being Text Pad. With various issues such as database access, or questions about renewals, I can see the patron record number used when they log in. I can search the logs (a single log or a whole directory of them) for a patron number or IP address, and save all those lines to another file, which really helps diagnose problem situations.
Since you have the IP that the seemingly scripted searches are coming from, can you block that in the Limit Network Access (http) table in telnet? (A/A/L/N) I've been doing that with the marcdisplay IPs as I get them, and I can see later that they're getting 403 (forbidden) errors instead of content.
MARINet, Novato CA
From: innopac-bounces at innovativeusers dot org [mailto:innopac-bounces at innovativeusers dot org] On Behalf Of Karen Johnson
Sent: Wednesday, June 08, 2011 3:36 PM
To: IUG INNOPAC List
Subject: [IUG] Weblogs
I have a few questions regarding use of weblogs.
1. What tool do you use to analyze the data? I have seen the
recommendations on CSDirect. I would like some endorsements if there
are any out there.
2. It does not appear that we can identify the credentials used for
remote access to our databases. We can see the ip but not the username
and password used in Web Access Management. Any suggestions?
Our immediate problem is that one of our databases was accessed
inappropriately according to the terms of our contract--so they tell
us. It does appear that an ip in Iran was downloading pdfs of an online
journal and that the speed of access suggests that it was automated
rather than an individual searching and downloading.
Interestingly our Web Access Management statistics do not show that this
database was accessed on the date in question even though the weblog
does. It may be that the filters in place to prevent bloated statistics
now eliminate this information as well. At least I might have been able
to see the ptype if these searches showed up but that may not have
helped much anyway. It would also be useful to see what patron record
I am not sure what we can do to prevent further incidents of this nature
and it doesn't look like we can assure the publisher of the online
journal that was targeted that we can prevent it from happening again.
We are a turnkey site.
How are folks out there handling these issues?
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.