How to check logs of compromised Systems

Source: Internet
Author: User
Tags squid proxy
Article Title: How to check logs that have been infiltrated into the system. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.

After the UNIX system is infiltrated, it is very important to determine the loss and the attacker's attack source address. Although most intruders know how to use a compromised computer as a stepping stone to attack your server, what they did before launching a formal attack (exploratory scan) it often starts from their computers. The following describes how to analyze and determine the IP addresses of intruders from the logs of Compromised systems.

1. messages

/Var/adm is the UNIX log directory (/var/log in Linux ). There are quite a few log files in ASCII format. Of course, let's focus on the messages files first, which is usually the file that intruders are interested in, it records information from the system level. The following is a record showing the copyright or hardware information:

Apr 29 19:06:47 www login [28845]: failed login 1 FROM xxx. xxx, User not known to the underlying authentication module

This is the logon failure record: Apr 29 22:05:45 game PAM_pwdb [29509]: (login) session opened for user ncx by (uid = 0 ).

The first step should be Kill-HUP cat'/var/run/syslogd. pid '. Of course, intruders may have already done this.

2. wtmp, utmp logs, FTP Log

You can find the file named wtmp and utmp in the/var/adm,/var/log,/etc directory, these files record when and where users remotely log on to the host. In the hacker software, zap2 is the oldest and most popular (the compiled file name is generally called z2, or wipe) is used to "erase" user login information in these two files. However, due to laziness or slow network speed, many intruders did not upload or compile the file. The administrator can use the lastlog command to obtain the source address of the last connection from the intruders (of course, this address may be a stepping stone for them ). FTP logs are usually/var/log/xferlog, which records in detail the time, source, and file name of the file uploaded in ftp mode. However, this log is too obvious, therefore, the better intruders will hardly use FTP to transfer files. They generally use RCP.

3. sh_history

After obtaining the root permission, intruders can create their own intrusion accounts. A more advanced technique is to add a password to a user name that is not commonly used, such as UCP and lp. After the intrusion, even if the intruder deletes the file. sh_history or. run kill-HUP 'cat/var/run/inetd. conf 'to re-write the bash Command record on the memory page back to the disk, and then execute find/-name. sh_historyprint, carefully check the log of every suspicious shell command. You can find it in/usr/spool/lp (lp home dir),/usr/lib/uucp/and other directories. the sh_history file may also contain FTP xxx. xxx. xxx. xxx or rcpnobody@xxx.xxx.xxx.xxx:/tmp/backdoor this shows commands for intruders IP addresses or domain names.

4. HTTP server logs

This is the most effective way to determine the attacker's real attack source address. Take the most popular Apache server as an example. You can find access in the $/logs/directory. log File, which records the visitor's IP address, access time, and requested content. After being infiltrated, we should be able to find information similar to the following in this file: record: xxx. xxx. xxx. xxx [28/Apr/2000: 00: 29: 05-0800] "GET/cgi-bin/rguest.exe" 404-xxx. xxx. xxx. xxx [28/Apr/2000: 00: 28: 57-0800] "GET/msads/Samples/SELECTOR/showcode. asp "404

This indicates that the IP address is xxx. xxx. xxx. xxx intruders attempted to access/msads/Samples/SELECTOR/showcode at 00:28 on January 1, April 28, 2000. asp file, which is the log left after the web cgi scanner is used. Most web scanner intruders often choose servers closest to themselves. Combined with the attack time and IP address, we can know a lot of information about intruders.

5. Core dump

A secure and stable daemon does not "dump" the core of the system during normal operation. When intruders use remote vulnerability attacks, many services are executing a getpeername socket function call, so the IP addresses of intruders are also stored in the memory.

6. Proxy server logs

The proxy server is often used by large and medium-sized enterprise networks as an interface for internal and external information exchange. It faithfully records the access of every user.

Of course, it also includes the access information of intruders. Take the most common squid proxy as an example. Generally, you can find the huge log File access. log under/usr/local/squid/logs. You can get squid's log analysis script at the following address: http://www.squid-cache.org/Doc/Users-Guide/added/st. html by analyzing access logs to sensitive files, you can know who accessed the content that should have been kept confidential.

7. Router logs

By default, the vro does not record any scans and logins. Therefore, intruders often use it as a stepping stone for attacks. If your enterprise network is divided into military zones and non-military zones, adding vro logs will help track intruders in the future. More importantly, for Administrators

For example, this setting can determine whether the attacker is an internal thief or an external thief. Of course, you need an additional server to place the router. log file.

Note!

For intruders, it is unlikely that they attempt to establish a TCP connection with the target machine during the entire attack process. There are many subjective and objective reasons for intruders, in addition, it is quite difficult to leave no logs in the attack.

If we spend enough time and energy, we can analyze information about intruders from a large number of logs. In terms of the Behavior Psychology of intruders, the more permissions they obtain on the target machine, the more inclined they are to use a conservative method to establish a connection with the target machine. By carefully analyzing early logs, especially those that contain scans, we can have a better advantage.

Log auditing is only a passive defense method after intrusion. It actively strengthens its learning, upgrades or updates the system in time, and is the most effective way to prevent intrusion.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.