Log Spoofing

• The attack is based on fooling the human eye in log files

• An attacker can erase his traces from the logs using this attack

Solution

• When you enter a failed login attempt, the log displays

Login failed for username: <the user name you enter>

• Enter in the username field..

Smith%0d%0aLogin Succeeded for username: admin

• %0d is carriage return

• %0a is line feed return

• This makes it appear that a login for smith failed but a login for admin succeeded afterwards

• • Even though this was all done in the same attempt and there was no actual admin login

  •