Iis&apache Attack Record analysis article _win server

Here, I introduce you to the two common Web server of the most important record files, analysis of the server after the attack, the hacker in the record file will leave what records. There are two of the most common Web servers available today: Apache and Microsoft's Internet Information Server (IIS), both of which have a generic version and SSL-certified version. This article will use and real hacker attack methods similar to the attack method to test the server and analyze the relevant files, conditional friends can be tested on their own machines.
The default record file address for IIS is in the C:\WINNT\SYSTEM32\LOGFILES\W3SVC1 directory, and the file name is the day's date, such as Yymmdd.log, and the system generates a new record file on a daily basis. The preset format is the Extended file format (the wide-format), and many software can analyze the file in this form. The record file records the time, client IP address, method (get, post, and so on), URI stem (required resources), and HTTP status (numeric status code) in a preset state. Most of these fields are read, but the HTTP status needs to be understood.

Small knowledge: Generally, if the code is in 200 to 299 represents a success. The common 200 status codes represent the requirements of the client, and 300 to 399 represent that the client must take action to meet the requirements; 400 to 499 and 500 to 599 represent a problem for the client and server. The most common status codes are two, one is 404, the resource requested on behalf of the client is not on the server, and 403 represents the requested resource denial of service.

The default storage location for Apache record files is/usr/local/apache/logs, and the most valuable documentation is Access_log, although Ssl_request_log and Ssl_engine_log can provide useful information. The Access_log record file has seven fields, including client IP address, special character identifier, user name, date, method Resource Protocol (GET, post, etc., what resources are required, protocol version), HTTP status, and bytes transferred.

Record analysis of conventional detection methods
Web server version is very important information, hackers generally first to the Web server to ask, let the server send back its own version of information: just put "head/http/1.0" this string with the common Netcat utility (relevant information URLhttp://www.l0pht.com/~weld/netcat/) and OpenSSL binary (relevant information web sitehttp://www.openssl.org/The communication port to the open server becomes. Take a look at the following demonstration:

C:>nc-n 10.0.2.55 80
head/http/1.0
http/1.1 OK
server:microsoft-iis/4.0
Date:sun, Mar 14:31:00 GMT
Content-type:text/html
Set-cookie:aspsessionidgqqqqqpa=ihojagjdecollgibnkmceeed; path=/
Cache-control:private

This form of requirement generates the following records in the IIS and Apache log files:

iis:15:08:44 11.1.2.80 head/default.asp 200
linux:11.1.2.80--[08/mar/2004:15:56:39-0700] "head/http/1.0" 200 0

Although such requirements are legitimate and seem commonplace, they are often prelude to cyber attacks. Access_log and IIS log files do not indicate whether the requirement is connected to an SSL server or a typical Web server, but Apache Ssl_request_log and Ssl_engine_log (in/usr/local/apache/ Logs directory) The log file records whether there is an online to SSL server. Please see the following Ssl_request_log record file:

[07/mar/2004:15:32:52-0700] 11.1.1.50 SSLv3 edh-rsa-des-cbc3-sha "head/http/1.0" 0

The third and fourth fields indicate which encryption method is used by the client, and the following Ssl_request_log records requests from OpenSSL, Internet Explorer, and Netscape client programs:
[07/mar/2004:15:48:26-0700] 11.1.1.50 SSLv3 edh-rsa-des-cbc3-sha "get/http/1.0" 2692
[07/mar/2004:15:52:51-0700] 10.0.2.55 TLSv1 rc4-md5 "get/http/1.1" 2692
[07/mar/2004:15:54:46-0700] 11.1.1.50 SSLv3 exp-rc4-md5 "get/http/1.0" 2692
[07/mar/2004:15:55:34–0700] 11.1.2.80 SSLv3 rc4-md5 "get/http/1.0" 2692
In addition, hackers usually copy the target site, which is called the mirror site, to use it to obtain the information needed to launch the attack. The annotation fields in the original code of the Web page often have useful data for directories, filenames, and even passwords. Common tools for copying Web sites include Window System teleport Pro (URLhttp://www.tenmax.com/teleport/pro/home.htm) and Unix system wget (URLhttp://www.gnu.org/manual/wget/）。 Here I analyze wget and teleportpro the contents of the log file after the two software attacks the Web server: The two software can quickly search the entire website and make demands on all the open web pages. Just check the record file to know that this is a mirror shot this action is very simple. The following are the log files for IIS:

16:28:52 11.1.2.80 get/default.asp 200
16:28:52 11.1.2.80 get/robots.txt 404
16:28:52 11.1.2.80 Get/header_protecting_your_privacy.gif 200
16:28:52 11.1.2.80 Get/header_fec_reqs.gif 200
16:28:55 11.1.2.80 get/photo_contribs_sidebar.jpg 200
16:28:55 11.1.2.80 Get/g2klogo_white_bgd.gif 200
16:28:55 11.1.2.80 Get/header_contribute_on_line.gif 200

The 11.1.2.80 here is the client of the UNIX system and the request is made with the wget software.
16:49:01 11.1.1.50 get/default.asp 200
16:49:01 11.1.1.50 get/robots.txt 404
16:49:01 11.1.1.50 Get/header_contribute_on_line.gif 200
16:49:01 11.1.1.50 Get/g2klogo_white_bgd.gif 200
16:49:01 11.1.1.50 get/photo_contribs_sidebar.jpg 200
16:49:01 11.1.1.50 Get/header_fec_reqs.gif 200
16:49:01 11.1.1.50 Get/header_protecting_your_privacy.gif 200
The 11.1.1.50 system here is the client of the window environment, with a request from Teleportpro.

Tips: The above two hosts are required to Robots.txt this document, in fact this file is a webmaster tool, the role is to prevent wget and teleportpro this kind of automatic capture file software on some Web pages engaged in crawling or search action. If someone puts forward the request of Robots.txt file, often represent is to mirror the entire website. However, both Teleportpro and wget can cancel the function of requesting Robots.txt of this file.

Hackers can also use web Vulnerability Audit software whisker (URLhttp://www.wiretrip.net/To investigate the Web server there is no security back door. The following are some of the log files produced by IIS and the Apache Web server after executing whisker:

Iis:
13:17:56 11.1.1.50 get/siteserver/publishing/viewcode.asp 404
13:17:56 11.1.1.50 get/msadc/samples/adctest.asp 200
13:17:56 11.1.1.50 get/advworks/equipment/catalog_type.asp 404
13:17:56 11.1.1.50 GET/IISADMPWD/AEXP4B.HTR 200
13:17:56 11.1.1.50 HEAD/SCRIPTS/SAMPLES/DETAILS.IDC 200
13:17:56 11.1.1.50 GET/SCRIPTS/SAMPLES/DETAILS.IDC 200
13:17:56 11.1.1.50 HEAD/SCRIPTS/SAMPLES/CTGUESTB.IDC 200
13:17:56 11.1.1.50 GET/SCRIPTS/SAMPLES/CTGUESTB.IDC 200
13:17:56 11.1.1.50 Head/scripts/tools/newdsn.exe 404
13:17:56 11.1.1.50 Head/msadc/msadcs.dll 200
13:17:56 11.1.1.50 GET/SCRIPTS/IISADMIN/BDIR.HTR 200
13:17:56 11.1.1.50 Head/carbo.dll 404
13:17:56 11.1.1.50 head/scripts/proxy/403
13:17:56 11.1.1.50 Head/scripts/proxy/w3proxy.dll 500
13:17:56 11.1.1.50 Get/scripts/proxy/w3proxy.dll 500

Apache:
11.1.1.50--[08/mar/2004:12:57:28-0700] "get/cfcache.map http/1.0" 404 266
11.1.1.50--[08/mar/2004:12:57:28-0700] "get/cfide/administrator/startstop.html http/1.0" 404 289
11.1.1.50--[08/mar/2004:12:57:28-0700] "get/cfappman/index.cfm http/1.0" 404 273
11.1.1.50--[08/mar/2004:12:57:28-0700] "get/cgi-bin/http/1.0" 403 267
11.1.1.50--[08/mar/2004:12:57:29-0700] "Get/cgi-bin/dbmlparser.exe http/1.0" 404 277
11.1.1.50--[08/mar/2004:12:57:29-0700] "head/_vti_inf.html http/1.0" 404 0
11.1.1.50--[08/mar/2004:12:57:29-0700] "head/_vti_pvt/http/1.0" 404 0
11.1.1.50--[08/mar/2004:12:57:29-0700] "head/cgi-bin/webdist.cgi http/1.0" 404 0
11.1.1.50--[08/mar/2004:12:57:29-0700] "head/cgi-bin/handler http/1.0" 404 0
11.1.1.50--[08/mar/2004:12:57:29-0700] "head/cgi-bin/wrap http/1.0" 404 0
11.1.1.50--[08/mar/2004:12:57:29-0700] "head/cgi-bin/pfdisplay.cgi http/1.0" 404 0

The key to detecting such attacks is to emit a large number of 404 HTTP Status codes from a single IP address. As long as you notice this kind of information, you can analyze the resources requested by the other side, so they desperately request to provide Cgi-bin scripts (Apache server Cgi-bin directory, IIS server Scripts directory).

If a Web page has been visited, there will always be a clue to the record file. If the webmaster is alert enough, the analysis log file should be used as a trail, and the site will be able to predict if there is a real loophole.

Direct Attack and record analysis
Next I want to show you two common Web server attacks, analysis of the server in the attack after the hackers in the record file traces.

1. MDAC attacks

The MDAC attack method allows the client of a Web page to execute commands on the IIS Web page server. If someone starts attacking an IIS server, the log file notes that the client once called the Msadcs.dll document:

17:48:49 12.1.2.8 Get/msadc/msadcs.dll 200
17:48:51 12.1.2.8 Post/msadc/msadcs.dll 200

2. Exploit the source code vulnerability

The second type of attack is also common, which can affect the exposure of ASP and Java Web page source code vulnerabilities. The old security flaw is the +.HTR bug, which displays the ASP source code. If someone exploits this vulnerability, they will leave these clues in the log files of IIS:

17:50:13 11.1.2.80 GET/DEFAULT.ASP+.HTR 200

3. Permission Issues
Web pages often only allow access to users, and next we want to show you what the Apache access_log log file will leave behind when the login fails:

12.1.2.8-user [08/mar/2004:18:58:29-0700] "get/private/http/1.0" 401 462

The user name in the third column is "user". Also note that the status code for HTTP is 401, which represents illegal access.

Apache and IIS analogy and related attacks and records on the analysis here, here just a few more common, but also reflect the differences and similarities between the examples, we can completely according to their favorite way to test the server, such as the current popular SQL injection and upload vulnerabilities, Believe that this can really do attack and defense confrontation!