Absrtact: This article mainly describes how to analyze Web server records, in many records to find clues to hacker attacks, and for today's popular two types of Web servers give specific examples.
Today's network, security is more and more attention, in the construction of network security environment, in the technical means, management system and other aspects are gradually strengthened, set up firewalls, installation intrusion detection system and so on. But the network security is a omni-directional question, ignores which point can cause the cask effect, causes the entire security system to be fictitious. This article enhances the security of the Web server by analyzing the logging records of the Web server to identify vulnerabilities and protect against attacks.
Web services are the largest and most abundant service available on the Internet, and various Web servers are naturally the most frequently attacked, and we have taken many measures to prevent attacks and intrusions, in which viewing the records of Web servers is the most direct, most common, and more efficient method, But logging record is very large, look at the logging record is very tedious things, if not grasp the focus, attack clues can easily be ignored. Here are some of the most popular two types of Web servers: Apache and IIS to attack the experiment, and then in a number of records to find traces of the attack, so take appropriate measures to strengthen prevention.
1, the Default Web record
For IIS, the default records are stored in C:\WINNT\SYSTEM32\LOGFILES\W3SVC1, the file name is the date of the day, the record format is a standard format for the wide range of records, can be resolved by various record analysis tools, the default format includes time, visitor IP address, Access method (Get or POST ...) , the requested resource, the HTTP status (represented by numbers), and so on. For the HTTP status, we know that 200-299 indicates a successful access, 300-399 indicates that a client response is required to satisfy the request, 400-499 and 500-599 indicate a client-server error, and a common example of 404 means that the resource is not found, and 403 indicates that access is prohibited.
The default records for Apache are stored in/usr/local/apache/logs, where the most useful record files are Access_log, which includes client IP, personal identification (generally empty), username (if required), access mode (GET or POST ...). , HTTP status, number of bytes transferred, and so on.
2. Collect information
We simulate the usual pattern of hackers attacking a server, first gathering information, and then implementing the intrusion step by step with remote commands. The tool we use is the netcat1.1 for Windows,web server IP is 10.22.1.100, and the client IP is: 10.22.1.80.
C:>nc-n 10.22.1.100 80
head/http/1.0
http/1.1 OK
server:microsoft-iis/4.0
Date:sun, OCT 2002 14:31:00 GMT
Content-type:text/html
Set-cookie:aspsessionidgqqqqqpa=ihojagjdecollgibnkmceeed; path=/
Cache-control:private
The above activities look normal and do not have any impact on the server, but this is the prelude to the usual attack.
3. Web site Mirroring
Hackers often mirror a site to help attack the server, commonly used to mirror the tool has windows under the Teleport Pro and Unix under the wget.
Below we look at the information in the server record after using these two tools:
10.22.1.80 is a UNIX client that uses wget, and 10.22.1.81 uses Teleport Pro Windows clients to request robots.txt files, which are used when requesting files that are not mirrored. So you see a request for a robots.txt file that indicates an attempt to mirror it. Of course, in wget and Teleport Pro clients, access to robots.txt files can be manually prohibited, and the discrimination method can see if there is a duplicate resource request from the same IP address.
4, vulnerability scanning
With the development of the attack, we can use some Web vulnerability check software, such as whisker, it can check the various vulnerabilities known, such as CGI program caused by security risks. The following are related records for IIS and Apache running Whisker1.4:
Apache
10.22.1.80-[08/OCT/2002:12:57:28-0700] "get/cfcache.map http/1.0" 404 266
10.22.1.80-[08/OCT/2002:12:57:28-0700] "get/cfide/administrator/startstop.html HTTP/1.0" 404 289
10.22.1.80-[08/OCT/2002:12:57:28-0700] "get/cfappman/index.cfm http/1.0" 404 273
10.22.1.80-[08/OCT/2002:12:57:28-0700] "get/cgi-bin/http/1.0" 403 267
10.22.1.80-[08/OCT/2002:12:57:29-0700] "Get/cgi-bin/dbmlparser.exe http/1.0" 404 277
10.22.1.80-[08/OCT/2002:12:57:29-0700] "head/_vti_inf.html http/1.0" 404 0
10.22.1.80-[08/OCT/2002:12:57:29-0700] "head/_vti_pvt/http/1.0" 404 0
10.22.1.80-[08/OCT/2002:12:57:29-0700] "head/cgi-bin/webdist.cgi http/1.0" 404 0
10.22.1.80-[08/OCT/2002:12:57:29-0700] "head/cgi-bin/handler http/1.0" 404 0
10.22.1.80-[08/OCT/2002:12:57:29-0700] "head/cgi-bin/wrap http/1.0" 404 0
10.22.1.80-[08/OCT/2002:12:57:29-0700] "head/cgi-bin/pfdisplay.cgi http/1.0" 404
The key to checking this attack is to see that the same IP address has multiple 404 states on the Scripts,apache file request for the CGI directory (IIS is Cgi-bin). Then check the corresponding CGI directory for the security of the program.
5. Remote attack
Let's take an example of an MDAC attack on IIS to understand how remote attacks are logged in the log. An MDAC vulnerability could allow an attacker to execute any command on the Web server side.
6, summary
Managing a secure site requires system managers to have safe common sense and vigilance, and knowledge of security from different sources can not only deal with the attacks that have occurred, but also to prevent attacks that will occur better. and the log file to understand, to prevent attacks is very important but often easy to ignore the means.
IDS (Intrusion detection systems) can help you a lot, but not completely replace security management. A careful examination of what is missing from Log,ids may be found here.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
