Log files track the activity on a computer so administrators can see who has used the computer, what they did, how long they stayed connected, and where they came from. Since a log file can also record the activity of an unauthorized intruder, much like a surveillance camera can record a burglar breaking into a store, hackers look for the log file as soon as they get access into the computer.

Script kiddies often delete the log files to prevent the administrator from seeing exactly what they did on the computer. Unfortunately, deleting the log file reveals the presence of an intruder as blatantly as using a stick of dynamite to get rid of a surveillance camera. The moment an administrator notices that someone has deleted the log file, he or she immediately knows that a hacker must be on the system.

Rather than announce their presence by deleting the log files, the smarter and more technically skilled hackers selectively modify the log files to hide their presence by deleting their own activities from the log files but otherwise leaving the log files intact. At a cursory glance, a system administrator would find the log files seemingly untouched, thereby giving the hacker a chance to infiltrate the computer without alerting the administrators.

The log file typically contains the following information:

  • The IP address of the machine that performed an action or "request" on the target computer.

  • The username, which simply identifies the account being used. A perfectly valid username could mask the presence of a hacker who has secretly hijacked a valid user's account.

  • The date and time that the user did something.

  • The exact command or "request" that the user gave the target computer.

  • The HTTP status code that the target computer returned to the user. That status code shows what action the target computer did as a result of the user's command or "request."

  • The amount of bytes transferred to the user.

In many cases, simply editing the log files can hide a hacker's tracks, but system administrators have their own ways to ensure the integrity of their log files. One of the simplest involves printing out the log files as they're generated. That way, if a hacker does delete or modify the log files, he will never be able to destroy or change the printed copy. If the system administrator suspects something is wrong, he or she can compare the log file on the hard disk with the printed-out log file. While tedious, this virtually guarantees that a hacker cannot hide his presence by modifying the log files alone.

Another way to preserve log files involves creating duplicate copies. The original log file appears where hackers expect to find it, while a duplicate copy of that same log file gets stored on another computer altogether, preferably one that no one else (including anyone with a root or administrator account) can modify or delete. The system administrator can use log-file analysis programs that can compare the two log files and notify the system administrators of any discrepancies, which can indicate the presence of a hacker.

To learn about the capabilities of various log-file analysis programs, take a look at one or more of the following programs: