Topic: Find Web Access in Logs for 31/10/2003 at 16:15

[Gavin Jolly]

I nned to find what websites were accessed at this time to work out where GATOR was installed from and then to talk to the culprit. How would I find this in the logs?

SME 5.6 running as gateway server for home network.

Gavin

[Paul]

Gavin,

Take a look at you squid/access.log and look for entries at around 1067616900.000 (this is EXACTLY 10/31/2003 at 16:15).

Squid logs (and others) show date and time in a UNIX timestamp and need to be converted.  If you need to do some more date/time conversions there is a handy little tool at http://www.onlineconversion.com/unix_time.htm

Good Luck

[Gavin Jolly]

Thanks, found it. I think the time on my server is wrong or the Gator log files I found were wrong. Anyway, I am confused. The log files seem to indicate that Gator may have come from MSN. Here is a section of the logs. After the Yoga Site there is some MSN activity then at 1067593465.020 gator gets its first mention.  Any comments.

1067593143.122     18 192.168.1.20 TCP_MEM_HIT/200 1340 GET http://www.yogasite.com/images/ilinks1.gif - NONE/- image/gif
1067593143.294    160 192.168.1.20 TCP_MISS/000 0 GET http://www.yogasite.com/images/imeditation2.gif - DIRECT/199.231.130.142 -
1067593143.308      4 192.168.1.20 TCP_MEM_HIT/200 1445 GET http://www.yogasite.com/images/imeditation.gif - NONE/- image/gif
1067593143.321     11 192.168.1.20 TCP_MEM_HIT/200 1269 GET http://www.yogasite.com/images/ilinks2.gif - NONE/- image/gif
1067593145.583      9 192.168.1.20 TCP_MEM_HIT/200 1340 GET http://www.yogasite.com/images/ilinks1.gif - NONE/- image/gif
1067593145.632     49 192.168.1.20 TCP_MISS/200 1714 GET http://www.yogasite.com/images/imeditation2.gif - DIRECT/199.231.130.142 image/gif
1067593145.687      3 192.168.1.20 TCP_MEM_HIT/200 1445 GET http://www.yogasite.com/images/imeditation.gif - NONE/- image/gif
1067593145.717     13 192.168.1.20 TCP_MEM_HIT/200 1612 GET http://www.yogasite.com/images/ipranayama2.gif - NONE/- image/gif
1067593145.797      3 192.168.1.20 TCP_MEM_HIT/200 1385 GET http://www.yogasite.com/images/ipranayama1.gif - NONE/- image/gif
1067593145.808      8 192.168.1.20 TCP_MEM_HIT/200 1351 GET http://www.yogasite.com/images/istyles2.gif - NONE/- image/gif
1067593147.784   5793 192.168.1.20 TCP_MISS/000 0 GET http://i92.netscape.com/c.cgi? - DIRECT/207.200.84.47 -
1067593148.164      3 192.168.1.20 TCP_MEM_HIT/200 5822 GET http://www.yogasite.com/images/logosob.gif - NONE/- image/gif
1067593148.450    296 192.168.1.20 TCP_MISS/200 3206 GET http://www.yogasite.com/images/ad-kimpton2.gif - DIRECT/199.231.130.142 image/gif
1067593149.108   1313 192.168.1.20 TCP_MISS/200 20945 GET http://www.yogasite.com/yogastyles.html - DIRECT/199.231.130.142 text/html
1067593159.713    401 192.168.1.21 TCP_MISS/404 368 POST http://activex.microsoft.com/objects/ocget.dll - DIRECT/207.46.196.108 text/html
1067593160.129    406 192.168.1.21 TCP_MISS/404 404 POST http://codecs.microsoft.com/isapi/ocget.dll - DIRECT/207.46.196.120 -
1067593248.537    226 192.168.1.21 TCP_MISS/200 763 GET http://rad.msn.com/ADSAdClient31.dll? - DIRECT/65.54.194.118 text/html
1067593362.919    404 192.168.1.21 TCP_MISS/500 1068 POST http://activex.microsoft.com/objects/ocget.dll - DIRECT/207.46.196.108 -
1067593363.333    404 192.168.1.21 TCP_MISS/404 404 POST http://codecs.microsoft.com/isapi/ocget.dll - DIRECT/207.46.196.120 -
**********************
***  GATOR HERE
*********************
1067593465.020     48 192.168.1.21 TCP_HIT/200 597 GET http://bg2.gator.com/gbsf/gbaxl2.dat - NONE/- text/plain
1067593465.382    360 192.168.1.21 TCP_MISS/302 285 GET http://hotmail.com/ - DIRECT/64.4.52.7 -
1067593466.260    358 192.168.1.21 TCP_MISS/302 526 GET http://lc1.law5.hotmail.passport.com/cgi-bin/login - DIRECT/64.4.52.7 text/html
1067593466.548   1247 192.168.1.21 TCP_MISS/200 506 POST http://gbs.gator.com/gbs/gbs.dll? - DIRECT/64.152.73.153 application/octet-stream
1067593466.668     56 192.168.1.21 TCP_MISS/200 866 GET http://bc2.gator.com/gbsf/gd/ho/hotmail.com.gtrg2ze - DIRECT/64.152.73.175 application/x-msdos-program
1067593466.917    373 192.168.1.21 TCP_MISS/302 659 GET http://ld.cb.msn.com/ - DIRECT/207.68.172.239 text/html
1067593467.454    346 192.168.1.21 TCP_MISS/200 1307 GET http://loginnet.passport.com/login.srf? - DIRECT/65.54.229.248 text/html
1067593468.250    537 192.168.1.21 TCP_MISS/200 850 POST http://gbs.gator.com/gbs/gbs.dll? - DIRECT/64.152.73.153 application/octet-stream
1067593468.352     28 192.168.1.21 TCP_MISS/200 981 GET http://bc2.gator.com/gbsf/gd/pa/passport.com.gtrg2ze - DIRECT/64.152.73.175 application/x-msdos-program
1067593468.454     10 192.168.1.21 TCP_MEM_HIT/200 771 GET http://bc2.gator.com/gbsf/gg/1371/1371-8.grp2ze - NONE/- text/plain
1067593468.569     15 192.168.1.21 TCP_MEM_HIT/200 569 GET http://bc2.gator.com/gbsf/ga/1/1.gaze - NONE/- text/plain
1067593468.628      4 192.168.1.21 TCP_MEM_HIT/200 851 GET http://bc2.gator.com/gbsf/gb/14582/14582-1.gbd3ze - NONE/- text/plain
1067593468.665     21 192.168.1.21 TCP_MEM_HIT/200 859 GET http://bc2.gator.com/gbsf/gb/14599/14599-3.gbd3ze - NONE/- text/plain
1067593468.740     14 192.168.1.21 TCP_MEM_HIT/200 867 GET http://bc2.gator.com/gbsf/gb/14600/14600-3.gbd3ze - NONE/- text/plain
1067593468.768     14 192.168.1.21 TCP_MEM_HIT/200 835 GET http://bc2.gator.com/gbsf/gb/14682/14682-1.gbd3ze - NONE/- text/plain
1067593468.800     16 192.168.1.21 TCP_MEM_HIT/200 851 GET http://bc2.gator.com/gbsf/gb/14601/14601-3.gbd3ze - NONE/- text/plain
1067593468.831     17 192.168.1.21 TCP_MEM_HIT/200 827 GET http://bc2.gator.com/gbsf/gb/14683/14683-1.gbd3ze - NONE/- text/plain
1067593469.445     30 192.168.1.21 TCP_IMS_HIT/304 202 GET http://login.passport.net/1033/L/PPIE.css - NONE/- text/css
1067593469.710