A few weeks ago, I happened to read an article from pir8geek.com (a blog about Linux goodies and tips) about a new tool which is very useful to system administrators and users for monitoring their files, folders, configurations, backups, scripts and directories in Windows, Linux, FreeBSD, Mac OS, and Solaris. This new tool or application is called Log4Trail and it is a lightweight file monitoring tool which can also be considered a simple or basic intrusion detection system (IDS) that is coded from scratch in Java by impeldown of The ProjectX Blog.

Log4Trail has a user-friendly graphical user interface (GUI) which is helpful for newbies, junior system administrators and users who want to monitor their files and directories easier in order to check if there are files that are being modified by someone who could possibly be a malicious user, a cracker or maybe your pesky little brother or sister who wants to play a prank on you. Once you open the application, it will prompt a pop up balloon or message from the system tray which will notify the current user who is logged into the system. And just like any intrusion detection systems out there, it records information about the files that have been changed and then notifies the security and system administrators of the important observed events with the use of the balloon pop up message and through email if the mailer configuration setup is configured.

To record the observed events, the application uses the SQLite database to store information of the system files. Yes you read me right, it produces reports like a boss!

Getting Started with Log4Trail File Monitoring

Log4Trail is a free software application that can be downloaded here. The file format is a tarball file, so to extract the contents of that file and move to its directory, type these commands in your terminal:

tar -zxvf Log4Trail.tar.gz

cd Log4Trail

To run the application, issue this one-line command in your terminal: java -jar Log4Trail.jar

The application has a setup or extra feature that sends you an email about the file changes [from checksum] and [to new checksum] using the SHA1 file checking algorithm and in order to activate this feature, click Options and then click on Enable Mailer. The next thing you should do is configure the mailer configuration and the mailer account with the corresponding recipients(TO,CC,BCC) to your choice. This can be used if you are away from your computer or server because you will be notified through email about the files or directories that were changed. So be sure you bring your laptop or your handy dandy smart phone with you always in order to be updated.

Now set the path of the directory or the file that you want to be monitored by clicking on the File Manager which can be found under the File menu button of the main form, or you can access it through its shortcut key which is Ctrl + Shift + A.

Click the New button, then navigate through the file or directory that you want to manage and monitor. Take for example this scenario: a system administrator wants to monitor or check if there will be new users that will be added to his Linux server so he can just set Log4Trail’s File Manager configuration to /etc/passwd. This can be helpful in order to detect malicious users who are currently adding users in the system if your system has been compromised.

In my case, I decided to set and configure it to /var/www because I have a LAMP (Linux, Apache, Perl, Perl / Python /PHP) server running locally in my school which is intended for penetration testing purposes, program testing and for hunting malicious users. After adding up a directory to be monitored or checked by the application, a dialog or prompt box should appear which should look like the image below.

Take note that the dialog or prompt box (image above) appears only if it is a directory because you will be given choices for the directory recursion type so just click on Yes to continue with the setup and then another prompt up box should appear which says “Please select recursion type”. If you want to recursively add file contents in a subdirectory just choose “Force recursion in subdirectories,” and if you want to add only file contents then choose “Only recurse contents”. In this writeup, I chose the option “Only recurse contents”.

If you have chosen a file that you want to be monitored solely then it should automatically be added so no need to worry regarding that setup. Now, if you have other files or directories that you want to be added, just click on the New button again and follow the process. After setting up the File Manager, just restart the application so that the changes will take effect.

After the application is done restarting, it should start monitoring the files in your server. You should be good to go then. :)

Now here is what I did in order to check if Log4Trail File Monitoring is really that effective and can be used as a simple intrusion detection system (but not as an intrusion prevention system): I planted a backdoor shell in my Linux box which has a local LAMP server running, then I moved to another computer in my network and accessed its internal IP (Internet Protocol) address by using the common r57 PHP backdoor shell. Then I edited the file bot.txt which is under the /var/www directory, and here is a screenshot I took which shows what just appeared on the computer system tray where Log4Trail is obviously running and monitoring /var/www.

It says “/var/www/bot.txt has been changed” and that Log4Trail has detected that I edited the bot.txt with some text. And because I was able to enable the mailer and setup the mailer configuration then I should receive an email about the changes in my files. Here is a screenshot of the email I just got.

And then you should be able to see the record of what file has just been modified or edited in the main application. It also shows if the email was sent to the system administrator or the user. Thus the details include: identifier, time stamp, station, file, from CS, to CS, and mailed.

So if an intruder is able to change the index of your website, the system tray alerts you. The image below gives another scenario.

Want to learn more?? The InfoSec Institute Advanced Computer Forensics Training trains you on critical forensic skills that are difficult to master outside of a lab enviornment. Already know how to acquire forensically sound images? Perform file carving? Take your existing forensic knowledge further and sharpen your skills with this Advanced Computer Forensics Boot Camp from InfoSec Institute. Upon the completion of our Advanced Computer Forensics Boot Camp, students will know how to:
  • Perform Volume Shadow Copy (VSC) analysis
  • Advanced level file and data structure analysis for XP, Windows 7 and Server 2008/2012 systems
  • Timeline Analysis & Windows Application Analysis
  • iPhone Forensics

Additional Information and Tips

Log4Trail is also built and compatible for Windows. Thus, it can be used to monitor the users or the employees in your company that are using the computers in your network so that you will be aware as to what they are doing even if you are not connected to a remote desktop connection. It can also be used to observe the behavior of a malware that has modification functions, although reverse engineering is still the best strategy to test and review the malware, at least you have some ideas about the malware’s targets. In Windows, monitoring your C:Windows folder and its subdirectories is also a good strategy because it contains important system files.

If you are maintaining Microsoft Windows Servers like Windows Server 2003, Windows Server 2008, Windows HPC Server 2008, Windows Server 2008 R2 and Windows Server 2012, it is wise to monitor the files that are being shared, your file backups, and your configuration files.

Log4Trail can also be minimized on the system tray when you click the X button from the main form and it will still continue monitoring your files and your directories. To show the main form again, just click the monitor-like icon on your system tray.

Log4Trail’s scanning option or monitoring speed can be changed to High, Normal (Default Mode), Low, or Paused, and it has a Stop/Start functionality for the interactive mode of the application. When the application starts, it launches the auto scan mode or monitors if there are data retrieved from the File Manager, so as long as you have already configured your File Manager setup, you don’t need to configure the setup for scanning the files or directories and repeat the process.

Well that’s all guys, I leave the rest to you. :)