Analysis of attack records in IIS & amp; Apache

In the dark of each network management system, the server is helpless after being attacked. In fact, after the server is attacked, the server's record file details the clues of hacker activity. Here, I would like to introduce the most important record files of the two common Web servers. I will analyze what records a hacker will leave in the record files after the server is attacked. Currently, the most common Web servers are Apache and Microsoft's Internet Information Server (IIS), both of which have the common version and SSL authentication version. This article will use an attack method similar to the actual hacker's attack method to test the server and analyze the relevant files. If you have any conditions, you can test it on your own machine.
The default record file address of IIS is in the C: winntsystem32logfilesw3svc1 directory. The file name is the date of the current day, for example, yymmdd. log. The system generates new record files every day. The default Format is W3C Extended Log File Format, which can be analyzed by many related software. The record file records the time, Client IP address, Method (GET, POST, etc.), URI stem (required resource), and HTTP status (Digital Status Code) under the Preset conditions ). Most of these fields can be understood at a glance, but the HTTP status must be well understood.

TIPS: In general, if the code is between 200 and 299, it indicates success. The common 200 status codes indicate that they meet the requirements of the client. The 300 to 399 indicate that actions must be taken by the client to meet the requirements; 400 to 499 and 500 to 599 indicate problems with the client and server. The most common status code is 404, which indicates that the resources requested by the client are not on the server, and 403 indicates that the requested resources are denied.

The default storage location of Apache record files is/usr/local/apache/logs. The most valuable record file is Access_log. However, SSL_request_log and SSL_engine_log can also provide useful information. The Access_log record file has seven fields, including the Client IP address, special character identifier, user name, date, Method Resource Protocol (GET, POST, etc.; required resources; Protocol Version), HTTP status, and transmitted bytes.

Record Analysis of conventional Probe Methods
The version of a Web server is very important. hackers usually first request the Web server to send its version information back: just use the "HEAD/HTTP/1.0" string with the common Netcat utility /~ Weld/netcat/) and OpenSSL binary (related URL: http://www.openssl.org/) to the Open Server Communication Port. Note:

C:> nc-n 10.0.2.55 80
Headers/HTTP/1.0
HTTP/1.1 200 OK
Server: Microsoft-Microsoft IIS/4.0
Date: Sun, 08 Mar 2004 14:31:00 GMT
Content-Type: text/html
Set-Cookie: ASPSESSIONIDGQQQQQPA = ihojarjdecollgibnkmceeed; path =/
Cache-control: private

This form requires that the following records be generated in the IIS and Apache record files:

IIS: 15:08:44 11.1.2.80 HEAD/Default. asp 200
Linux: 11.1.2.80--[08/Mar/2004: 15: 56: 39-0700] "HEAD/HTTP/1.0" 200 0

Although such requirements are legal and seemingly common, they are often a prelude to cyberattacks. The Access_log and IIS record files do not indicate whether the request is connected to an SSL server or a general web server. However, Apache's SSL_request_log and SSL_engine_log (under the/usr/local/apache/logs directory) the record file records whether the server is connected to the SSL server. See the following SSL_request_log record file:

[07/Mar/2004: 15: 32: 52-0700] 11.1.1.50 SSLv3 EDH-RSA-DES-CBC3-SHA "HEAD/HTTP/1.0" 0

The third and fourth fields indicate the encryption method used by the client. The following SSL_request_log records the requirements issued by the OpenSSL, Internet Explorer, and Netscape client programs respectively:
[07/Mar/2004: 15: 48: 26-0700] 11.1.1.50 SSLv3 EDH-RSA-DES-CBC3-SHA "GET/HTTP/1.0" 2692
[07/Mar/2004: 15: 52: 51-0700] 10.0.2.55 TLSv1 RC4-MD5 "GET/HTTP/1.1" 2692
[07/Mar/2004: 15: 54: 46-0700] 11.1.1.50 SSLv3 EXP-RC4-MD5 "GET/HTTP/1.0" 2692
[07/Mar/2004: 15: 55: 34-0700] 11.1.2.80 SSLv3 RC4-MD5 "GET/HTTP/1.0" 2692
In addition, hackers usually copy the target website, the so-called image website, and use it to obtain the information needed to launch an attack. The annotation fields in the original code of the webpage often contain useful information such as directories, file names, and passwords. Common tools for copying websites include Teleport Pro for window systems (URL: http://www.tenmax.com/teleport/pro/home.htm) and Wget for Unix systems (URL: http://www.gnu.org/manual/wget ). Here, I will analyze the content in the file after Wget and TeleportPro attack the Web server: These two software can quickly search for the entire website and request all public webpages. You only need to check the record file. It is very easy to understand this action. The following are IIS record files:

16:28:52 11.1.2.80 GET/Default. asp 200
16:28:52 11.1.2.80 GET/robots.txt 404
16:28:52 11.1.2.80 GET/header_protecting_your_privacy.gif 200
16:28:52 11.1.2.80 GET/header_fec_reqs.gif 200
16:28:55 11.1.2.80 GET/photo_contribs_sidebar.jpg 200
16:28:55 11.1.2.80 GET/g2klogo_white_bgd.gif 200
16:28:55 11.1.2.80 GET/header_contribute_on_line.gif 200

Here, the host 11.1.2.80 is a Unix System Client that sends a request using Wget software.
16:49:01 11.1.1.50 GET/Default. asp 200
16:49:01 11.1.1.50 GET/robots.txt 404
16:49:01 11.1.1.50 GET/header_contribute_on_line.gif 200
16:49:01 11.1.1.50 GET/g2klogo_white_bgd.gif 200
16:49:01 11.1.1.50 GET/photo_contribs_sidebar.jpg 200
16:49:01 11.1.1.50 GET/header_fec_reqs.gif 200
16:49:01 11.1.1.50 GET/header_protecting_your_privacy.gif 200
Here, the 11.1.1.50 system is the client of the Window environment, using the request sent by TeleportPro.

TIPS: The robots.txt document is required for both of the above two documents. In fact, this file is a tool for web page administrators to prevent Wget and TeleportPro files from being crawled or searched on some webpages. If someone asks for the robots.txt file, it usually means to mirror the entire website. However, both teleportproand wgetcan cancel the function of the file robots.txt.

Hackers can also use web vulnerability audit software Whisker (Web site: http://www.wiretrip.net/) to detect web server security backdoor. The following are some of the record files generated by the IIS and Apache Web servers after the Whisker is executed:

IIS:
13:17:56 11.1.1.50 GET/SiteServer/Publishing/viewcode. asp 404
13:17:56 11.1.1.50 GET/msadc/samples/adctest. asp 200
13:17:56 11.1.1.50 GET/advworks/equipment/catalog_type.asp 404
13:17:56 11.1.1.50 GET/iisadmpwd/aexp4b. htr 200
13:17:56 11.1.1.50 HEAD/scripts/samples/details. idc 200
13:17:56 11.1.1.50 GET/scripts/samples/details. idc 200
13:17:56 11.1.1.50 HEAD/scripts/samples/ctguestb. idc 200
13:17:56 11.1.1.50 GET/scripts/samples/ctguestb. idc 200
13:17:56 11.1.1.50 HEAD/scripts/tools/newdsn.exe 404
13:17:56 11.1.1.50 HEAD/msadc/msadcs. dll 200
13:17:56 11.1.1.50 GET/scripts/iisadmin/bdir. htr 200
13:17:56 11.1.1.50 HEAD/carbo. dll 404
13:17:56 11.1.1.50 HEAD/scripts/proxy/403
13:17:56 11.1.1.50 HEAD/scripts/proxy/w3proxy. dll 500
13:17:56 11.1.1.50 GET/scripts/proxy/w3proxy. dll 500

Apache:
11.1.1.50--[08/Mar/2004: 12: 57: 28-0700] "GET/cfcache. map HTTP/1.0" 404 266
11.1.1.50--[08/Mar/2004: 12: 57: 28-0700] "GET/cfide/Administrator/startstop.html HTTP/1.0" 404 289
11.1.1.50--[08/Mar/2004: 12: 57: 28-0700] "GET/cfappman/index. cfm HTTP/1.0" 404 273
11.1.1.50--[08/Mar/2004: 12: 57: 28-0700] "GET/cgi-bin/HTTP/1.0" 403 267
11.1.1.50--[08/Mar/2004: 12: 57: 29-0700] "GET/cgi-bin/dbmlparser.exe HTTP/1.0" 404 277
11.1.1.50--[08/Mar/2004: 12: 57: 29-0700] "HEAD/_vti_inf.html HTTP/1.0" 404 0
11.1.1.50--[08/Mar/2004: 12: 57: 29-0700] "HEAD/_ vti_pvt/HTTP/1.0" 404 0
11.1.1.50--[08/Mar/2004: 12: 57: 29-0700] "HEAD/cgi-bin/webdist. cgi HTTP/1.0" 404 0
11.1.1.50--[08/Mar/2004: 12: 57: 29-0700] "HEAD/cgi-bin/handler HTTP/1.0" 404 0
11.1.1.50--[08/Mar/2004: 12: 57: 29-0700] "HEAD/cgi-bin/wrap HTTP/1.0" 404 0
11.1.1.50--[08/Mar/2004: 12: 57: 29-0700] "HEAD/cgi-bin/pfdisplay. cgi HTTP/1.0" 404 0

The key to detecting such attacks is to issue a large number of 404 HTTP status codes from a single IP address. You only need to pay attention to this type of information, so you can analyze the resources requested by the other party, so they will desperately require the provision of Cgi-bin scripts (cgi-bin directory of the Apache server; Scripts directory of the IIS server ).

If a webpage is visited, what clues will be left in the record file. If the web administrator is highly alert, the analysis record should be