Intrusion Tracking for UNIX

After the *nix system has been invaded, it is very important to determine the loss and the source address of the intruder's attack. While most intruders know how to attack your servers by using machines they've captured as a springboard, the target information collection (exploratory scans) that they do before they launch a formal attack is often started from their work machines, this article describes how to analyze the IP of an intruder and determine it from the logs of an intrusion-stricken system.

1.messages

/var/adm is the log directory for UNIX (/var/log is under Linux). There are quite a few ASCII text-formatted logs saved, of course, let's focus first on the messages file, which is a file that intruders care about, and it records information from the system level. Here, a lot of logging is useless for us.

Like what:

APR 21:49:30 Unix:copyright (c) 1983-1997, Sun Microsystems, Inc.

APR 21:49:30 unix:mem = 262144K (0x10000000)

This shows the record of the copyright or hardware information and:

APR 19:06:47 www login[28845]: FAILED login 1 from xxx.xxx.xxx.xxx,

User not known to the underlying authentication module

Such a logon failure record:

APR 22:05:45 Game pam_pwdb[29509]: (login) session opened to user Ncx by (uid=0) so the first step should be Kill-hup cat '/var/run/syslo Gd.pid ' (of course, it's possible that the intruders have done that for us,;-) so we don't get any useful information.

In this URL you can find a large number of log audit analysis tools or feet:

Http://www.securityfocus.com/tem ... platform=&path=[%20auditing%20][%2-0log%20analysis%20]

2.wtmp,utmp logs,ftp Log

You can find a file named Wtmp,utmp in the/var/adm,/var/log,/etc directory, which records when and where the user is telnet to the host, the oldest and most popular zap2 in the hacker (the compiled filename is generally called Z2, or is called wipe). It is also used to erase the user login information in these two files, but because lazy or bad network speed (>3 seconds of ECHO is a crash, and I often meet the echo time 10 times times), many intruders did not upload or compile this file, What the administrator needs is to use the Lastlog command to get the source address of the intruder's last connection (which, of course, could be a springboard for them). FTP log is generally/var/log/xferlog, the text form of the file detailed record of FTP upload file time, source , filename, and so on. However, because the log is too obvious, a slightly more sophisticated intruder will rarely use the method to pass files. And it's more common to use RCP. Of course you can # Cat/var/log/xferlog | Grep-v 202.106.147. To see which addresses are not supposed to appear.