Find hacker traces in Web server records (1)

Web|web Service |web Server This article mainly describes how to analyze Web server records, find in many records The clues of hacker attacks and give some concrete examples to the two kinds of Web servers that are popular today.

firewall , install Intrusion detection system, and so on. But the network security is a omni-directional question, ignores which point can cause the cask effect, causes the entire security system to be fictitious. This article enhances the security of the Web server by analyzing the logging records of the Web server to identify vulnerabilities and protect against attacks.

Web Services are the largest and most abundant service available on the Internet, and various Web servers are naturally the most frequently attacked, and we have taken many steps to prevent attacks and intrusions, in which viewing the records of Web servers is the most direct, most common, and more efficient way to But logging record is very large, look at the logging record is very tedious things, if not grasp the focus, attack clues can easily be ignored. Here are some of the most popular two types of Web servers: Apache and IIS to attack the experiment, and then in a number of records to find traces of the attack, so take appropriate measures to strengthen prevention.

1, the Default Web record

For IIS, the default records are stored in C:\WINNT\SYSTEM32\LOGFILES\W3SVC1, the file name is the date of the day, the record format is a standard format for the wide range of records, can be resolved by various record analysis tools, the default format includes time, visitor IP address, Access method (Get or POST ...) , the requested resource, the HTTP status (represented by numbers), and so on. For the HTTP status, we know that 200-299 indicates a successful access, 300-399 indicates that a client response is required to satisfy the request, 400-499 and 500-599 indicate a client-server error, and a common example of 404 means that the resource is not found, and 403 indicates that access is prohibited.

The default records for Apache are stored in/usr/local/apache/logs, where the most useful record files are Access_log, which includes client IP, personal identification (generally empty), username (if required), access mode (GET or POST ...). , HTTP status, number of bytes transferred, and so on.

2. The usual mode of collecting information attacks the server is to collect the information and then implement the intrusion step by step by remote command. The tool we use is the netcat1.1 for Windows,web server IP is 10.22.1.100, and the client IP is: 10.22.1.80.

C:>nc-n 10.22.1.100 80
head/http/1.0
http/1.1 OK
server:microsoft-iis/4.0
Date:sun, OCT 2002 14:31:00 GMT
Content-type:text/html
Set-cookie:aspsessionidgqqqqqpa=ihojagjdecollgibnkmceeed; path=/
Cache-control:private

The following are shown in IIS and Apache log:

iis:15:08:44 10.22.1.80 head/default.asp 200
linux:10.22.1.80--[08/oct/2002:15:56:39-0700] "head/http/1.0" 200 0

The above activities look normal and do not have any impact on the server, but this is the prelude to the usual attack.