Detection Method of Win2000 Server intrusion Precursor

I. Precursor detection for WWW Service intrusion

For Open servers on the network, the WWW Service is one of the most common services. Port 80-based intrusion is also the most common. Many sceipt kids are very keen on modifying WEB pages. The WWW Service has a large number of users, and the traffic is relatively high. At the same time, there are many WWW Service Vulnerabilities and intrusion methods and techniques, which are also relatively easy, many "hackers" use vulnerability scanners to scan for various vulnerabilities on port 80, such as wwwscan and X-ray, and even a vulnerability scanner that only targets port 80. IIS that provides WWW services on Windows has been prone to vulnerabilities and becomes a headache for system administrators.

Although port 80 has many intrusions and scans, it is also very easy to log on port 80. IIS provides a powerful logging function. In Internet Service Manager, you can enable logging for site properties. Logs are stored in % WinDir % System32LogFiles by default, and exyymmdd. log files are saved every day. You can configure these settings, including the log record content.

When configuring IIS, you should keep IIS logs as detailed as possible to help identify and analyze intrusions. Now we need to use these logs to discover the precursor to intrusion, or to detect whether the server is scanned. Open the log file and we can get a scan record similar to this (for example, Unicode vulnerability ):

05:42:27 192.168.1.2-192.168.1.1 80 HEAD/script/... wax ../..

Wax ../winnt/system32/cmd.exe/c + dir 404-

2002-03-10 05:42:28 192.168.1.2-192.168.1.1 80

GET/script /..?.. /..?.. /..?.. /Winnt/system32/cmd.exe/c + dir 404-

Note the following content:

/Script /..?.. /..?.. /..?.. /Winnt/system32/cmd.exe/c ++ dir 404

If it is a normal user, it will not send such a request, which is the result of the Unicode vulnerability scan using IIS. The following 404 indicates that such a vulnerability does not exist. If 200 is displayed, it indicates that the Unicode vulnerability exists. It also indicates that it has been scanned or used by others. Whether it is 404 or 200, the content appears in the log, indicating that someone is scanning (or exploiting) The server vulnerability, which is a precursor to intrusion. The log also records the source of the scanner: 192.168.1.2.

For example, this log:

06:17:50 192.168.1.2-192.168.1.1 80 HEAD/-400-

This is a record that uses the HEAD request to scan the WWW server software type. Attackers can select the scanning scope by understanding the software used by WWW.

IIS can usually record all requests. This includes many normal user request records, which also makes the IIS log file very large, with 10 MB or larger size, manual browsing and analysis becomes unavailable. In this case, you can use some log analysis software to help log analysis. Alternatively, run the following simple command to check whether a scan event with a Unicode vulnerability exists:

Find/I "winnt/system32/cmd.exe" C: logex020310.log

The "find" command searches for strings in the file. We can use the scanning tool to create a sensitive string, such as the header character missing .exe (Unicode vulnerability), ". ida", ". idq" (IDA/IDQ remote overflow vulnerability), and ". printer" (Printer remote overflow vulnerability.

2. Precursor detection for FTP and other service intrusion

Based on the previous detection of the precursor to WWW Service intrusion, we can also detect FTP or other services (POP, SMTP, etc ). Taking the FTP service as an example, for the FTP service, the initial scan or intrusion is usually an account guess. The FTP service provided by IIS also provides detailed log records like the WWW Service (if other FTP service software is used, they should also have corresponding log records ).

Let's analyze these logs:

2002-03-10 06:41:19 192.168.21.130 administrator [36] USER administrator 331

2002-03-10 06:41:19 192.168.21.130-[36] PASS-530

This indicates that the User Name administrator requests logon, but the logon fails. When a large number of Logon Failure records appear in the log, it indicates that someone attempts to guess the FTP account. This is a precursor to intrusion from the FTP service.

The log analysis method is similar to the log analysis method of WWW Service. Because FTP does not support account enumeration, If attackers find that the user name is exactly the same as the one you are using, they need to modify the account and increase the password length.

Iii. Precursor detection of system account password cracking

For Windows 2000 servers, a major threat also comes from the system account password, because if a poorly configured server allows creation of null sessions, attackers can remotely Enumerate accounts and perform password guesses Based on the enumerated accounts. Even if the server rejects the creation of an empty session, attackers can guess the system account because many server system administrators use accounts such as administrator, admin, and root. Hacker tools, such as "traffic", can guess the password and crack the password of the system account through common passwords or brute force password.

To detect intrusions that have been guessed by system accounts and passwords, you need to set a server security policy and record it in the Audit Policy. The basic events that need to be reviewed include: audit Logon Events, Audit Account Logon Events, and account management events. Review the successful and failed events, and then we can view these audit records from the security log in the event viewer.

For example, if we find a lot of failures in the security log, it means someone is guessing the system account. We can view the details of one of them and see:

Logon Failed:

Cause: Unknown user name or incorrect password

User name: administrator

Domain: ALARM

Logon type: 3

Logon Process: NtLmSsp

Authentication package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

Site name: REFDOM

The attacker intends to guess the password of the administrator of the system account. The source of the attacker is the website name REFDOM, which records the attacker's computer name rather than his IP address.

When we find someone intends to guess the password, we need to modify the corresponding configuration and policy. For example, limiting IP addresses, modifying the account name of the account whose password is guessed, enhancing the length of the account password, and so on.

Iv. Precursor detection of Terminal Service intrusion

Windows provides the Terminal Control Service (Telminal Service). It is a Remote Desktop Protocol (RDP)-based tool that facilitates remote control by administrators. It is a very good remote control tool. The interface control used by Terminal Services makes it easy and convenient for administrators to use, and the speed is also very fast. This also makes attackers as convenient. In addition, the terminal service has an Input Method Vulnerability in the past, which allows you to obtain system permissions by bypassing the security check. For servers that open terminal services, many attackers prefer remote connection to see what the server looks like (even if they do not have an account ).

Intrusion into terminal services generally occurs after the system account is guessed. Attackers can remotely connect to and log on to the terminal using the account obtained by the guess.

Open remote control service configuration in Administrative Tools, click "Connect", right-click the RDP service you want to configure (such as RDP-TCP (Microsoft RDP 5.0), select the bookmarks "Permissions ", click "advanced" and join an Everyone group to represent all users, review the success and failure of his "connection", "disconnected", "logout", and "login". This review is recorded in the security log, you can view it in "Administrative Tools"-> "Log Viewer. However, this log records the name of the client machine rather than the IP address of the client, just like the system password. We can create a simple batchcompute bat file (named TerminalLog. bat) to record the client's IP address. The file content is:

Time/t> Terminal. log

Netstat-n-p tcp find ": 3389"> Terminal. log

Start Explorer

The port used by the Terminal service is TCP 3389. the first line of the file is to record the user's logon time and record the time in the file Terminal. log is used as the log time field. The second line is the command that records the user's IP address, uses netstat to display the current network connection status, and records the port 3389 in the log file. In this way, you can record the IP address of the other party that establishes the 3389 connection.

To set the program to run, you can set TerminalLOG in terminal service configuration. bat is the script to be opened when a user logs on. Therefore, each user must execute this script after logon. Because the default script is Explorer (Resource Manager. the start Explorer command is added to the last line of bat. If this command is not added, you cannot enter the desktop. Of course, you can write this script more powerful, but place the log file in a safe directory.

With the contents recorded in the Terminal. log File and security logs, we can discover intrusion events or Precursor events through Terminal services.

For Windows2000 servers, the above four types of intrusion are the most common, and also account for the vast majority of the intrusion into Windows2000 events. From the above analysis, we can promptly discover the precursor of these intrusions, discover the attacker's attack starting point based on the precursor, and then take corresponding security measures to prevent the attacker from intruding.

We can also analyze the importance of log records and event reviews in server security configurations. These log files are important targets of attackers after they are intruded. They will delete and modify records to erase their intrusion footprints. Therefore, for various log files, we should better hide and Set permissions to protect them. At the same time, simply record the logs and do not regularly view and analyze the logs, so all the work is done in white.

During security maintenance, the system administrator should be vigilant, be familiar with the intrusion methods used by hackers, and do a good job of Detection and Analysis of intrusion precursor. In this way, the system administrator can plan ahead and prevent the occurrence of intrusion events.