Log Analysis and security for windows Servers

Source: Internet
Author: User

1. Use Windows Firewall logs to detect intrusions. Below is a firewall log record 2005-01-1300: 35: 04OPENTCP61. 145.129.13364.233.189.20.495980 2005-01-1300: 35: 04: indicates the recorded date and time. OPEN: indicates that the connection is opened. If Close is used, TCP is closed. Tcp 61.145.129.20: local IP 64.233.189.104: remote IP 4959: local port 80: Remote port. Note: If the ports here are not common ports such as 80 and 21, you should pay attention to them. Each Open record corresponds to a CLOSE record, and the connection time can be calculated by comparing the two records.

Note: UseThis option needs to be checked in the security log option of the firewall that comes with Windows "record Successful Connections.

 

2. detect intrusion attacks through IIS logs

1. Check that IIS logs are stored in the System32 \ LogFiles directory by default, and W3C extended format is used. Next we will use a log record to understand its format 2005-01-0316: 44: 57218.17.90.60GET/Default. aspx-80-218.17.90.60Mozilla/4.0 + (compatible; + MSIE + 6.0; + Windows + NT + 5.2; +. NET + CLR + 1.1.4322) 20000

2005-01-0316: 44: 57: indicates the record time;

218.17.90.60: indicates the IP address of the host;

GET: indicates the method for obtaining the webpage/Default. aspx: indicates the name of the browser webpage. if the content is not the name of Your webpage, it indicates that someone may be testing your website with injection attacks. For example: "/msadc /.. wax .. wax .. wax .. the text in the format of/winnt/system32/cmd.exe/c + dir appears after the browser page, indicating whether attackers can try to access your system directory.

-80: indicates the server port.

-218.17.90.60: the IP address of the client. If you have a large number of connections from the same IP address to the website at a certain time or at different times, you should pay attention to it.

Mozilla/4.0 + (compatible; + MSIE + 6.0; + Windows + NT + 5.2; +. NET + CLR + 1.1.4322): indicates the version of the operating system of your browser.

200: indicates that the browsing is successful. If it is 304, it indicates redirection. If the value is 404, the client error cannot be found on the webpage. If the server is normal but a large number of 404 errors occur, it also means that someone may be testing your website with injection attacks.

2. Check IIS logs. If you understand the IIS log format, you can find the attacker's whereabouts. However, it is almost impossible to manually check each piece of data, so we can use Windows to provide a command findstr. The following uses the cmd field in the January 1 log as an example to demonstrate its usage. The IIS Log Path is set to D \ w3c Cmd. Enter findstr "cmd" d \ w3c \ ex050101.log and press Enter. There are many problems with the same IP address, so pay attention to it! The following are the sensitive characters I have written. They are for reference only. You can customize your own sensitive characters based on your system and webpage, of course, it is more convenient to use a batch processing command based on these characters. Cmd, ', \,...,;, and, webconfig, global,

If you feel that the findstr function is not intuitive and powerful enough, you can use the AutoScanIISLogFilesV1.4 tool. It uses a graphical interface to detect multiple files at a time. :Http://www.11k.net/Software/View-Software-1585.html

If you feel that there are not enough information records in these IIS logs, you can create a hidden web page that will first be directed to when you log on to the website, then, you can add code on the webpage to obtain the user's IP address, operating system, computer name, and other information. And input it into the database, so that even if an attacker uses a dynamic IP address as long as he does not change the system, even if the IIS log is deleted, you can find it.

 

3. Check the security log to check whether there is a successful intrusion. If you have enabled audit of Successful Logon Events, policy changes, account logon, and system events, any successful intrusion will leave traces in the security log.

Recommended Practices:

1. We recommend that you check the security log at least once a day. ID event 529, which is recommended for key checks: Logon Failed, attempts to log on using an unknown user name or a known user name with an incorrect password. 528: the user successfully logs on to the computer. 539: Logon Failed: The Logon account is locked upon logon attempt. This event indicates that a password attack was initiated but failed, resulting in account locking.

682: the user reconnects to a disconnected Terminal Server session. Terminal Service Attack 683: the user is disconnected from the terminal server session without cancellation. Terminal Service Attack

624: a user account is created. 625: User Account type changed 626: User Account 629 enabled: User Account 630 disabled: the above five events that have been deleted from a user's account may be an attempt by an attacker to disable or delete the account used to launch the attack to conceal their traces.

577: the user attempts to perform permission-protected system service operations. 578: Use the permission on the opened protected object handle. 577. The SeTcbPrivilege privilege is described in details in the 578 event. This event indicates that a user tries to improve security permissions by acting as part of the operating system, if a user tries to add his/her account to the Administrator group, the SeSystemTimePrivilege privilege is used to change the system time. This event can indicate that a user tries to change the system time SeRemoteShutDownPrivilege: Force SeloadDriverPrivilege off from a remote system: load or uninstall the driver SeSecurityPrivilege: manage audit and security logs. When clearing Event Logs or writing events related to privileged use to security logs, SeShutDownPrivilege occurs: disable the system SeTakeOwnershipPrivilege: gets ownership of files or other objects. this event indicates that an attacker is attempting to bypass the current security settings by obtaining the ownership of an object.

517: log events are cleared or modified. This event can indicate that an attacker attempted to mask their trace by modifying or deleting log files. 612: The Audit Policy was changed. This event can indicate that an attacker attempts to mask their traces by modifying the audit policy. to mask the traces of deleted log files, the attacker may first disable the audit of system events.

2. How to view importance events through filters: Click the View menu in the Event Viewer window, click filter, click filter, define your own filter options, and click OK.

3. Backup event method after viewing: Click the Action menu in the Event Viewer window, click Export list, and select Save path and file name. If the Save type is set to "text file tab) will be saved as a text file. If you select "text files separated by commas (,)" as the storage type, it is saved as an Excel file. Of course, you can also choose to save another log file. You can also use dumpel.exe in the soft resourcekittool box to regularly back up system logs with scheduled tasks.

4. Delete the checked log files. The fewer log files, the easier it is to detect problems.

5. Cooperate with the System Log program log to detect suspicious content

6. The EventCombMT tool EventCombMT is a powerful multi-threaded tool that analyzes Event Logs on many servers at the same time and generates a separate execution thread for each server contained in the search criteria. You can use it to define a single event ID or multiple event IDs to be searched, and define a range of event IDs to be searched by space. For example, 528> ID <540 limits the search to a specific event log. For example, only search for security logs limits the search to specific event messages. For example, a successful audit restricts the search to a specific event source. Search for specific text in the event description. Define a specific interval to scan backward from the current date and time. Note: to use this tool, you must install WindowsServer2003ResourceKitTools. After installation is complete, enter EventCombMT at the command prompt:Http://www.microsoft.com/downloads/details.aspx? FamilyID= 9d467a69-57ff-4ae7-96ee-b18c4790cffd & DisplayLang = en

 

Iv. Port detection of intrusion attacks

Port is the door that attackers like most, so we need to develop the habit of viewing ports.

1. Run the netstat command. Run netstat-ano at the CMD prompt to check the opened port and display the PID of the program using this port. Netstat-n: detects active connections. If an unknown port is opened through the preceding command, a new service is opened if a trojan is not in progress. Solution: Open the task manager, select a column under the View menu, select the PID, and click OK. Then, find the program file name using the open port in the Task Manager based on the PID used by the open port. Kill the process in the task manager. If the Task Manager prompts that the task cannot be killed, run the ntsd command in the format of c: \> ntsd-cq-pPID. If the process using this PID is not a separate program file, it is called Svchost or lsass (many Trojans can do this now ). So you need to have a very ambitious knowledge to find it. In my experience, the following methods are used in combination.

Search for suspicious services using Svchost or lsass in the service. Enter tasklist/svc at the command prompt to view the PID and service associated with the process. Use process management in Windows optimization masters to find suspicious. dll in Svchost or lsass. Check the latest file in System32: Enter dir/od in the sytem32 path of the command prompt and use hijackthis tool to find out the program name and dll file started by the system .:Http://www.cl520.net/soft/3992.htm

If you do not know if it is a virus file after discovering a suspicious dll, go to Google.

2. After the ActivePort software is installed, a graphical interface is used to display all open ports and active ports, you can also associate ports, processes, and program name paths. And can be used to interrupt the connection of an activity.

5. If an abnormal process is found through process monitoring, kill it in time. If the suspicious process cannot be killed in the task manager, you can find the suspicious service and close the service before killing it, you can also use the ntsd command at the prompt. Format: ntsd-cq-pPID

 

Use svcmon.exe (serviceMonitoringTool) to monitor installed services.

This tool can be used to monitor the status changes of local or remote computer services. When a service starts or stops, this tool will notify you by sending an email or ExchangeServer. To use this tool, install ResourceKit. But go to the MS websiteHttp://www.microsoft.com/downloads/details.aspx? FamilyID= 9d467a69-57ff-4ae7-96ee-b18c4790cffd & DisplayLang = en this tool is not found after the downloaded ResourceKit is installed. In fact, there are still many tools not available for this ResourceKit. This may be a simple ResourceKit package. Later, SupportTools on the 2003 CD was installed, and it was not found. I used the 2000 ResourceKit installation CD. After installation, it can be used on 2003. However, after I use it, I find that the system will be unstable, so it is best to find the 2003 ResourceKit installation CD. This tool is composed of two objects. After you install ResourceKit, svcmon.exe is located in the C: \ ProgramFiles \ ResourceKit folder by default. You need to copy it to % SystemRoot % \ System32, enter Smconfig at the command prompt to open the Configuration Wizard. It is a graphical interface. Note that the user Email you want to remind is added to ExchangeRecipients. You can simply follow the instructions. If an abnormal service is found, you can use instsrv.exe in resourcekitto remove the service. Format: instsrvservicenameRemove

 

7. Check that the system files under System32 are backed up on the System32 folder after the system is installed and new software is installed, then, use the COMP command to regularly check the content of the file to find suspicious folders or files. The format of the COMP command is: COMPdata1data2/L/C data1 at the command prompt to specify the location and name of the first file to be compared. Data2 specifies the location and name of the Second file to be compared. /L displays different rows. /C compares files with uppercase/lowercase ASCII letters. Note: The WinDiff tool of MS allows you to visually compare two files.

 

Gossip uses drivers.exe to monitor installed Drivers. Currently, some attackers add Trojans to the Drivers. We can use the Drivers tool provided by MS for detection. On the computer on which the tool runs, the tool displays all device drivers installed. The tool outputs some information, including the driver file name, the size of the driver on the disk, and the date on which the driver is linked. The linked date identifies any newly installed drivers. If an updated driver is not recently installed, it may indicate that it is a replaced driver. Note: The Drivers.exe tool is not available in WindowsServer2003ResourceKitTools downloaded from the MS website. I use this tool 2000.

9. Check the local users and groups. As you all know, note that if you use the netuser command line to view, you will not be able to see the hidden users, that is, adding $ after the user name), so it is best to use a management unit to view all users.

10. Check the date of the webpage file, especially the file that has been connected to the database. Some attackers may leave a backdoor in the webpage code after intrusion, so if the date changes, you should check it out.

11. Services, processes, Ports 1, started services (AutomaticUpdate, COM + EventSystem, ComputerBrowser, CryptographicServices, DHCPClient, DistributedfileSystem, region, and Distributedtransaction) started by default after IIS and SQL2000 are installed. DNSClient, ErrorReporting, Eventlog, HelpAndSupports, IPSECServices, LogicalDiskManager, NetworkLocation, plugandplay, PrintSpooler, RemoteProcedureCall, RemoteRegistry, SecondaryLogon, Secur ItyAccounts, Server, SystemEventNetification, TaskScheduler, TCP/IPNetBIOS, TerminalServices, WindowsInstaller, WindowsManagementInstrumentation, WindowsTime, WirelessConfig, and Workstation.

The following are newly added services (AddService, Com + systemapplication, HttpSSL, IISAdminService, networkconnections, protectedstorage, shellhardware, and wordwideweb) after IIS is installed.

The following are new started services after SQL2000 is installed: MicrosoftSearch, NTLMSecurity, and MSSQLServer

2. Started processes: ctfmon: admin, wpaba1n: admin, explorer: admin, wmiprvse, dfssvc, msdtc: networkservice, sploolsv, lsass, conime: admin, services,

Svchost: localservice2, networkservice1, winlogon, csrss, smss,

System, systemidleprocess. Total: 22 processes, of which admin, networkservice, and localservice indicate that the user name is not specified as the System user

The following are newly added after IIS is installed:Wpaba1n: admin, inetinfo,

The following figure shows the newly added process mssearch after installing SQL., Sqlmangr, wowexecadmin, sqlservr

3. enabled ports: TCP: 135, 445, 1025, 1026, 139 udp: 445, 500, 1027, 4500, 123

The following are the newly added ports tcp: 80 and 8759 after IIS is installed. Note that port 8759 is automatically selected after the first installation.

The following are the newly added ports after SQL is installed:

Tcp: 1433 udp: 68, 1434

If the firewall is enabled, the following ports TCP: 3001, 3002, 3003 UDP: 3004, 3005 are enabled.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.