Attackers cannot escape by inserting wings to track hackers Based on Web server records.

Today's network and security have been paid more and more attention by everyone. when building a network security environment, we have gradually strengthened technical means and management systems, set up firewalls, and installed intrusion detection systems. However, network security is an all-around problem. Ignoring which one will cause the bucket effect will make the entire security system virtual. This article analyzes the Web server's logging to identify vulnerabilities and prevent attacks, so as to enhance Web server security.

Web services are the most and most abundant services provided by the Internet, and various Web servers are naturally the most attacked. We have adopted many measures to prevent attacks and intrusions, viewing Web server records is the most direct, common, and effective method. However, logging records are very large and it is very cumbersome to view logging records. If you cannot grasp the key points, attack clues are easily ignored. Next we will conduct an attack experiment on Apache and IIS, the two most popular Web servers, and then find the clues of the attack in a large number of records, so as to take appropriate measures to strengthen prevention.

1. Default web records

For IIS, the default record is stored in c: \ winnt \ system32 \ logfiles \ w3svc1. The file name is the date of the current day, and the record format is the standard W3C extended record format, it can be parsed by various record analysis tools. The default format includes time, visitor IP address, and access method (GET or POST ...) , Requested resources, HTTP status (expressed in numbers), and so on. For the HTTP status, we know that 200-299 indicates that the access is successful; 300-399 indicates that the client response is required to meet the request; 400-499 and 500-599 indicate that the client and server have an error; for example, 404 indicates that the resource is not found, and 403 indicates that the access is forbidden.

By default, Apache records are stored in/usr/local/apache/logs. The most useful record file is access_log. The format includes the Client IP address and personal ID (generally empty), user name (if authentication is required), access method (GET or POST ...) , HTTP status, number of transmitted bytes, and so on.

2. Collect information

We simulate the common mode in which hackers attack servers. First, we collect information and then execute intrusion step by step through remote commands. The tool we use is netcat1.1 for windows, the Web Server ip address is 10.22.1.100, and the client IP address is 10.22.1.80.

C:> nc-n 10.22.1.100 80

Headers/HTTP/1.0

HTTP/1.1 200 OK

Server: Microsoft-Microsoft IIS/4.0

Date: Sun, 08 Oct 2002 14:31:00 GMT

Content-Type: text/html

Set-Cookie: ASPSESSIONIDGQQQQQPA = ihojarjdecollgibnkmceeed; path =/

Cache-control: private

The IIS and Apache logs are shown as follows:

IIS: 15:08:44 10.22.1.80 HEAD/Default. asp 200

Linux: 10.22.1.80--[08/Oct/2002: 15: 56: 39-0700] \ "HEAD/HTTP/1.0 \" 200 0

The above activities seem to be normal and will not have any impact on the server, but this is a prelude to normal attacks.

3. Web site Images

Hackers often mirror a site to attack servers. Commonly used tools for mirroring include Teleport pro in Windows and Wget in Unix.

Next we will look at the information in the server record after using these two tools:

16:28:52 10.22.1.80 GET/Default. asp 200

16:28:52 10.22.1.80 GET/robots.txt 404

16:28:52 10.22.1.80 GET/header_protecting_your_privacy.gif 200

16:28:52 10.22.1.80 GET/header_fec_reqs.gif 200

16:28:55 10.22.1.80 GET/photo_contribs_sidebar.jpg 200

16:28:55 10.22.1.80 GET/g2klogo_white_bgd.gif 200

16:28:55 10.22.1.80 GET/header_contribute_on_line.gif 200

16:49:01 10.22.1.81 GET/Default. asp 200

16:49:01 10.22.1.81 GET/robots.txt 404

16:49:01 10.22.1.81 GET/header_contribute_on_line.gif 200

16:49:01 10.22.1.81 GET/g2klogo_white_bgd.gif 200

16:49:01 10.22.1.81 GET/photo_contribs_sidebar.jpg 200

16:49:01 10.22.1.81 GET/header_fec_reqs.gif 200

16:49:01 10.22.1.81 GET/header_protecting_your_privacy.gif 200

10.22.1.80 is a Unix client that uses Wget, and 10.22.1.81 is a Windows client that uses Teleport pro. all requests to the robots.txt file, and robots.txt is used to request files not mirrored. The requests to the robots.txt file indicate that there is an image attempt. Of course, on the Wget and Teleport proclients, You can manually disable access to the robots.txt file. In this case, you can identify whether there are duplicate resource requests from the same IP address.

4. vulnerability scan

With the development of attacks, we can use Web vulnerability check software, such as Whisker, to check known vulnerabilities, such as security risks caused by cgi programs. The following is a record of IIS and Apache running Whisker1.4:

IIS

12:07:56 10.22.1.81 GET/SiteServer/Publishing/viewcode. asp 404

12:07:56 10.22.1.81 GET/msadc/samples/adctest. asp 200

12:07:56 10.22.1.81 GET/advworks/equipment/catalog_type.asp 404

12:07:56 10.22.1.81 GET/iisadmpwd/aexp4b. htr 200

12:07:56 10.22.1.81 HEAD/scripts/samples/details. idc 200

12:07:56 10.22.1.81 GET/scripts/samples/details. idc 200

12:07:56 10.22.1.81 HEAD/scripts/samples/ctguestb. idc 200

12:07:56 10.22.1.81 GET/scripts/samples/ctguestb. idc 200

12:07:56 10.22.1.81 HEAD/scripts/tools/newdsn.exe 404

12:07:56 10.22.1.81 HEAD/msadc/msadcs. dll 200

12:07:56 10.22.1.81 GET/scripts/iisadmin/bdir. htr 200

12:07:56 10.22.1.81 HEAD/carbo. dll 404

12:07:56 10.22.1.81 HEAD/scripts/proxy/403

12:07:56 10.22.1.81 HEAD/scripts/proxy/w3proxy. dll 500

12:07:56 10.22.1.81 GET/scripts/proxy/w3proxy. dll 500

Apache

10.22.1.80-[08/Oct/2002: 12: 57: 28-0700] \ "GET/cfcache. map HTTP/1.0 \" 404 266

10.22.1.80-[08/Oct/2002: 12: 57: 28-0700] \ "GET/cfide/Administrator/startstop.html HTTP/1.0 \" 404 289

10.22.1.80-[08/Oct/2002: 12: 57: 28-0700] \ "GET/cfappman/index. cfm HTTP/1.0 \" 404 273

10.22.1.80-[08/Oct/2002: 12: 57: 28-0700] \ "GET/cgi-bin/HTTP/1.0 \" 403 267

10.22.1.80-[08/Oct/2002: 12: 57: 29-0700] \ "GET/cgi-bin/dbmlparser.exe HTTP/1.0 \" 404 277

10.22.1.80-[08/Oct/2002: 12: 57: 29-0700] \ "HEAD/_vti_inf.html HTTP/1.0 \" 404 0

10.22.1.80-[08/Oct/2002: 12: 57: 29-0700] \ "HEAD/_ vti_pvt/HTTP/1.0 \" 404 0

10.22.1.80-[08/Oct/2002: 12: 57: 29-0700] \ "HEAD/cgi-bin/webdist. cgi HTTP/1.0 \" 404 0

10.22.1.80-[08/Oct/2002: 12: 57: 29-0700] \ "HEAD/cgi-bin/handler HTTP/1.0 \" 404 0

10.22.1.80-[08/Oct/2002: 12: 57: 29-0700] \ "HEAD/cgi-bin/wrap HTTP/1.0 \" 404 0

10.22.1.80-[08/Oct/2002: 12: 57: 29-0700] \ "HEAD/cgi-bin/pfdisplay. cgi HTTP/1.0 \" 404

The key to checking this attack is that the same IP address has multiple 404 status requests to the cgi directory (IIS is scripts, Apache is cgi-bin. Check the program security in the corresponding cgi directory.

5. remote attacks

Next, we will take MDAC attacks against IIS as an example to learn the records of remote attacks in the log. The MDAC vulnerability allows attackers to execute any command on the Web server.

17:48:49 10.22.1.80 GET/msadc/msadcs. dll 200

17:48:51 10.22.1.80 POST/msadc/msadcs. dll 200

When an attack occurs, the msadcs. dll request is recorded in the log.

Another famous attack is the vulnerability of asp source code leakage. When such an attack occurs, the log file will have the following records:

17:50:13 10.22.1.81 GET/default. asp +. htr 200

For unauthorized access attack records, the Apache log displays:

[08/Oct/2002: 18: 58: 29-0700] \ "GET/private/HTTP/1.0 \" 401 462

6. Summary

Managing a secure website requires system administrators to have security knowledge and vigilance. Understanding security knowledge from different channels can not only deal with existing attacks, it can also effectively prevent attacks. It is very important but often overlooked to understand and prevent attacks through Log files.

IDS (Intrusion Detection System) can help you a lot, but it cannot completely replace security management. Check the Log carefully. The missing items of IDS may be found here.