Chasing hacker intrusions based on Web server records

Today's network, security is more and more attention, in the construction of network security environment, in the technical means, management system and other aspects are gradually strengthened, set up firewalls, installation intrusion detection system and so on. But the network security is a omni-directional question, ignores which point can cause the cask effect, causes the entire security system to be fictitious. This article enhances the security of the Web server by analyzing the logging records of the Web server to identify vulnerabilities and protect against attacks.

Web services are the largest and most abundant service available on the Internet, and various Web servers are naturally the most frequently attacked, and we have taken many measures to prevent attacks and intrusions, in which viewing the records of Web servers is the most direct, most common, and more efficient method, But logging record is very large, look at the logging record is very tedious things, if not grasp the focus, attack clues can easily be ignored. Here are some of the most popular two types of Web servers: Apache and IIS to attack the experiment, and then in a number of records to find traces of the attack, so take appropriate measures to strengthen prevention.

1, the Default Web record

For IIS, the default records are stored in C:\\WINNT\\SYSTEM32\\LOGFILES\\W3SVC1, the file name is the date of the day, and the record format is a standard format for the wide range of records, which can be resolved by various record analysis tools, and the default format includes time, Visitor IP Address, method of access (GET or POST ...), requested resource, HTTP status (in digital), and so on. For the HTTP status, we know that 200-299 indicates a successful access, 300-399 indicates that a client response is required to satisfy the request, 400-499 and 500-599 indicate a client-server error, and a common example of 404 means that the resource is not found, and 403 indicates that access is prohibited.

The default records for Apache are stored in/usr/local/apache/logs, where the most useful record files are Access_log, which includes client IP, personal identification (generally empty), username (if required), access mode (GET or POST ...). , HTTP status, number of bytes transferred, and so on.

2. Collect information

We simulate the usual pattern of hackers attacking a server, first gathering information, and then implementing the intrusion step by step with remote commands. The tool we use is the netcat1.1 for Windows,web server IP is 10.22.1.100, and the client IP is: 10.22.1.80.

The following are the referenced contents: C:>nc-n 10.22.1.100 head/http/1.0 http/1.1 OK server:microsoft-iis/4.0 Date:sun, after Oct 2002 14:31:00 GMT C Ontent-type:text/html Set-cookie:aspsessionidgqqqqqpa=ihojagjdecollgibnkmceeed; path=/Cache-control:private is shown in IIS and Apache log as follows: iis:15:08:44 10.22.1.80 head/default.asp-[0 8/OCT/2002:15:56:39-0700] \ "Head/http/1.0\" 200 0

The above activities look normal and do not have any impact on the server, but this is the prelude to the usual attack.

3. Web site Mirroring

Hackers often mirror a site to help attack the server, commonly used to mirror the tool has windows under the Teleport Pro and Unix under the wget.

Below we look at the information in the server record after using these two tools:

The following are the referenced contents: 16:28:52 10.22.1.80 get/default.asp 16:28:52 10.22.1.80 get/robots.txt 404 16:28:52 10.22.1.80 Get/header_protectin G_your_privacy.gif 16:28:52 10.22.1.80 get/header_fec_reqs.gif 16:28:55 10.22.1.80 get/photo_contribs_ Sidebar.jpg 16:28:55 10.22.1.80 get/g2klogo_white_bgd.gif 16:28:55 10.22.1.80 get/header_contribute_on_ Line.gif 16:49:01 10.22.1.81 get/default.asp 16:49:01 10.22.1.81 get/robots.txt 404 16:49:01 10.22.1.81-Get/hea Der_contribute_on_line.gif 16:49:01 10.22.1.81 get/g2klogo_white_bgd.gif 16:49:01 10.22.1.81 get/photo_ Contribs_sidebar.jpg 16:49:01 10.22.1.81 get/header_fec_reqs.gif 16:49:01 10.22.1.81 get/header_protecting_ Your_privacy.gif 200

10.22.1.80 is a UNIX client that uses wget, and 10.22.1.81 uses Teleport Pro Windows clients to request robots.txt files, which are used when requesting files that are not mirrored. So you see a request for a robots.txt file that indicates an attempt to mirror it. Of course, in wget and Teleport Pro clients, access to robots.txt files can be manually prohibited, and the discrimination method can see if there is a duplicate resource request from the same IP address.

4, vulnerability scanning

With the development of the attack, we can use some Web vulnerability check software, such as whisker, it can check the various vulnerabilities known, such as CGI program caused by security risks. The following are related records for IIS and Apache running Whisker1.4:

The following are the referenced contents: Iis 12:07:56 10.22.1.81 get/siteserver/publishing/viewcode.asp 404 12:07:56 10.22.1.81 get/msadc/samples/adctest.asp 200 12:07:56 10.22.1.81 get/advworks/equipment/catalog_type.asp 404 12:07:56 10.22.1.81 GET/IISADMPWD/AEXP4B.HTR 200 12:07:56 10.22.1.81 HEAD/SCRIPTS/SAMPLES/DETAILS.IDC 200 12:07:56 10.22.1.81 GET/SCRIPTS/SAMPLES/DETAILS.IDC 200 12:07:56 10.22.1.81 HEAD/SCRIPTS/SAMPLES/CTGUESTB.IDC 200 12:07:56 10.22.1.81 GET/SCRIPTS/SAMPLES/CTGUESTB.IDC 200 12:07:56 10.22.1.81 Head/scripts/tools/newdsn.exe 404 12:07:56 10.22.1.81 Head/msadc/msadcs.dll 200 12:07:56 10.22.1.81 GET/SCRIPTS/IISADMIN/BDIR.HTR 200 12:07:56 10.22.1.81 Head/carbo.dll 404 12:07:56 10.22.1.81 head/scripts/proxy/403 12:07:56 10.22.1.81 Head/scripts/proxy/w3proxy.dll 500 12:07:56 10.22.1.81 Get/scripts/proxy/w3proxy.dll 500 Apache 10.22.1.80-[08/OCT/2002:12:57:28-0700] \ "Get/cfcache.map http/1.0\" 404 266 10.22.1.80-[08/OCT/2002:12:57:28-0700] \ "get/cfide/administrator/startstop.html HTTP/1.0\" 404 289 10.22.1.80-[08/OCT/2002:12:57:28-0700] \ "get/cfappman/index.cfm http/1.0\" 404 273 10.22.1.80-[08/OCT/2002:12:57:28-0700] \ "Get/cgi-bin/http/1.0\" 403 267 10.22.1.80-[08/OCT/2002:12:57:29-0700] \ "Get/cgi-bin/dbmlparser.exe http/1.0\" 404 277 10.22.1.80-[08/OCT/2002:12:57:29-0700] \ "head/_vti_inf.html http/1.0\" 404 0 10.22.1.80-[08/OCT/2002:12:57:29-0700] \ "head/_vti_pvt/http/1.0\" 404 0 10.22.1.80-[08/OCT/2002:12:57:29-0700] \ "head/cgi-bin/webdist.cgi http/1.0\" 404 0 10.22.1.80-[08/OCT/2002:12:57:29-0700] \ "Head/cgi-bin/handler http/1.0\" 404 0 10.22.1.80-[08/OCT/2002:12:57:29-0700] \ "head/cgi-bin/wrap http/1.0\" 404 0 10.22.1.80-[08/OCT/2002:12:57:29-0700] \ "head/cgi-bin/pfdisplay.cgi http/1.0\" 404

The key to checking this attack is to see that the same IP address has multiple 404 states on the Scripts,apache file request for the CGI directory (IIS is Cgi-bin). Then check the corresponding CGI directory for the security of the program.

5. Remote attack

Let's take an example of an MDAC attack on IIS to understand how remote attacks are logged in the log. An MDAC vulnerability could allow an attacker to execute any command on the Web server side.

17:48:49 10.22.1.80 Get/msadc/msadcs.dll 200

17:48:51 10.22.1.80 Post/msadc/msadcs.dll 200

When the attack occurs, the log will leave a record of the Msadcs.dll request.

Another well-known attack is the vulnerability of ASP source code leaks, when this attack occurs, log files will have the following records:

17:50:13 10.22.1.81 GET/DEFAULT.ASP+.HTR 200

For unauthorized access to an attack record, Apache log displays:

[08/oct/2002:18:58:29-0700] \ "Get/private/http/1.0\" 401 462

6, summary

Managing a secure site requires system managers to have safe common sense and vigilance, and knowledge of security from different sources can not only deal with the attacks that have occurred, but also to prevent attacks that will occur better. and the log file to understand, to prevent attacks is very important but often easy to ignore the means.

IDS (Intrusion detection systems) can help you a lot, but not completely replace security management. A careful examination of what is missing from Log,ids may be found here.