Track intruders using IIS logs

I think if you are a network administrator, you should trace the system when it is infiltrated. For program problems, go to the "Event Viewer". If it is an IIS problem, check the IIS log! All IIS logs in the logfile of system32 in the system folder are used to record all access records on the server.

Because it is a user of a VM, each user configures an independent IIS log directory, from which the log files can be used to find information about intruders invading BBS, so I downloaded all the logs for the relevant time period for analysis and found that many of them did not know the information! Hahaha, now I know how intruders intrude into my BBS.
 
IIS intrusion log 1)

From the IIS log on the first day, we can find that the intruders have already been focusing on my BBS. There are more than one intruder. The IIS logs of the First Day are all spam data left by the program scanning the background.

Looking at the above IIS log, we can find that intruders 61. 145. ***. * ** the application is constantly scanning the background pages. It seems that you want to use the background login vulnerability to enter the background management page of the BBS. Unfortunately, this intruder seems to have no idea, and he uses the program numbly as a help to find the background. There is no intrusion method.

Intrusion IIS log 2)

I checked the IIS log for the next day. At the beginning, there was nothing special about the common user access log, and I found the problem in the middle section, A program is used to find the IIS action records of a specified file.

From the above information we found that intruders 61. 141. ***. * ** you can also use a program to scan specified upload pages to determine whether these pages exist in the target and then intrude the Upload Vulnerability. Another is to scan the default database using the dynamic network, and some commonly used trojan names. It seems that this intruder thought my BBS was Ma Fang. It is a miracle to scan so many trojan files.

Continue to the next step and I finally found out that the intruder 61. 141. ***. *** generated file, and then generated a trojan named Akk. asp in the folder directory of Forum.

All operation records of intruders using akk. asp Trojans are displayed in the IIS log.
 
Detailed intrusion analysis is as follows:
 

 
 

  
  
GET/forum/akk. asp-200
  
  
Use the webshell of the bypass website to generate the akk. asp backdoor in the Forum folder
  
  
GET/forum/akk. asp d = ls. asp 200
  
  
Hacker login Backdoor
  
  
GET/forum/akk. asp d = ls. asp & path =/test & oldpath = & attrib = 200
  
  
Go to the test folder
  
  
GET/forum/akk. asp d = e. asp & path =/test/1.asp& attrib = 200
  
  
Use the backdoor to modify the asp file in the test folder.
  
  
GET/forum/akk. asp d = ls. asp 200
  
  
GET/forum/akk. asp d = ls. asp & path =/lan & oldpath = & attrib = 200
  
  
Enter the lan folder
  
  
GET/forum/akk. asp d = e. asp & path =/lan/index.html & attrib = 200
  
  
Use the edit command to modify the homepage file in the lan folder
  
  
GET/forum/akk. asp d = ls. asp 200
  
  
GET/forum/akk. asp d = ls. asp & path =/forum & oldpath = & attrib = 200
  
  
Go to the BBS folder. The sub-folder is actually in the BBS directory)
  
  
POST/forum/akk. asp d = up. asp 200
  
  
GET/forum/akk. asp d = ls. asp & path =/forum & oldpath = & attrib = 200
  
  
GET/forum/myth.txt-200
  
  
Upload the myth.txt file in the forumfile folder.
  
  
GET/forum/akk. asp d = ls. asp & path =/forum & oldpath = & attrib = 200
  
  
GET/forum/akk. asp d = e. asp & path =/forum/myth.txt & op = del & attrib = 200
  
  
POST/forum/akk. asp d = up. asp 200
  
  
GET/forum/myth.txt-200
 
 

Modify the myth.txt file under the forumfolder. Then, the webshell of the bypass website was used to create the Ubb. asp backdoor, And the akk. asp backdoor was used to modify the homepage and back up the homepage. Dizzy, I don't know what the intruder is like. I still cannot figure out how to use webshell all day.
 
Intruders use tools to step on the page. First, they determine the pages of potential BBS vulnerabilities. After testing, they find that they cannot intrude and then turn to the server for intrusion, attackers can intrude into the website by using a special program or a specific program, obtain the primary webshell, and access the folder to intrude into my BBS system and modify the homepage.

Because the analysis is based on the IIS logs of my space, it is unclear which website or page the intruders use to intrude! However, all the data has been collected, and the IP addresses of the intruders who intrude into BBS and the trojan xiaolu have been determined), and a large number of intrusion records have been left. The entire log tracing process is complete. The technical content in this article is not high. I just want to tell you that the intrusion and intrusion are traceable in IIS logs.