Search for hacker clues from server records

When a server is attacked, the most easy to ignore is to record the file, which is a trace of hacker activity. Here, I will introduce the most important record files of the two common Web servers. I will analyze what records a hacker leaves in the record files after the server is attacked.

Currently, Apache and Microsoft Internet Information Server (IIS) are the most common web servers ). Both servers have common and SSL-certified versions, allowing hackers to attack Encrypted and unencrypted servers.

The default record file address of IIS is in the directory c: winntsystem32logfilesw3svc1. The file name is the date of the day, for example, yymmdd. log. The system generates new record files every day. The default Format is W3C Extended Log File Format. Many related software can interpret and analyze files in this Format. The record file records the time, Client IP address, method (GET, POST, etc.), URI stem (required resource), and HTTP status (Digital Status Code) under the Preset conditions ). Most of these fields can be understood at a glance, but the HTTP status needs to be interpreted. In general, if the code is between 200 and 299, it indicates success. The common 200 Status Code indicates that it meets the requirements of the client. 300 to 399 means that actions must be taken by the client to meet the requirements. 400 to 499 and 500 to 599 indicate problems with the client and server. The most common status code is 404, which indicates that the resources requested by the client are not on the server, and 403 indicates that the requested resources are denied. The default storage location of Apache record files is/usr/local/apache/logs. The most valuable record file is access_log, but ssl_request_log and ssl_engine_log can also provide useful information. The access_log record file has seven fields, including the Client IP address, special character identifier, user name, date, Method Resource Protocol (GET, POST, etc.; required resources; and then the Protocol Version), HTTP status, and transmitted bytes.

I am using similar simulated attack methods and tools as hackers. (Note: Do not try the methods described in this article. Please consciously abide by the network rules !)

Analysis Process

The version of a Web server is very important information. Hackers generally first ask the Web server to send the version information back to the server. Just use the "HEAD/HTTP/1.0" string with the common netcat utility /~ Weld/netcat/) and OpenSSL binary (related URL: http://www.openssl.org/) to the Open Server Communication Port. Note:

C:> nc-n 10.0.2.55 80

Headers/HTTP/1.0

HTTP/1.1 200 OK

Server: Microsoft-Microsoft IIS/4.0

Date: Sun, 08 Mar 2001 14:31:00 GMT

Content-Type: text/html

Set-Cookie: ASPSESSIONIDGQQQQQPA = ihojarjdecollgibnkmceeed; path =/

Cache-control: private

This form requires that the following records be generated in the IIS and Apache record files:

IIS: 15:08:44 11.1.2.80 HEAD/Default. asp 200

Linux: 11.1.2.80--[08/Mar/2001: 15: 56: 39-0700] "HEAD/HTTP/1.0" 200 0

Although such requirements are legal and seemingly common, they are often a prelude to cyberattacks. The access_log and IIS record files do not indicate whether the request is connected to an SSL server or a general web server. However, Apache's ssl_request_log and ssl_engine_log (under the/usr/local/apache/logs directory) these two record files will record whether there is a connection to the SSL server. See the following ssl_request_log record file:

[07/Mar/2001: 15: 32: 52-0700] 11.1.1.50 SSLv3 EDH-RSA-DES-CBC3-SHA "HEAD/HTTP/1.0" 0

The third and fourth fields indicate the encryption method used by the client. The following ssl_request_log records the requirements issued by the OpenSSL, Internet Explorer, and Netscape client programs.

[07/Mar/2001: 15: 48: 26-0700] 11.1.1.50 SSLv3 EDH-RSA-DES-CBC3-SHA "GET/HTTP/1.0" 2692

[07/Mar/2001: 15: 52: 51-0700] 10.0.2.55 TLSv1 RC4-MD5 "GET/HTTP/1.1" 2692

[07/Mar/2001: 15: 54: 46-0700] 11.1.1.50 SSLv3 EXP-RC4-MD5 "GET/HTTP/1.0" 2692

[07/Mar/2001: 15: 55: 34-0700] 11.1.2.80 SSLv3 RC4-MD5 "GET/HTTP/1.0" 2692

In addition, hackers usually copy a website (the so-called image website .), To obtain the information required to launch an attack. The annotation fields in the original code of the webpage often contain useful information such as directories, file names, and passwords. Common tools for copying websites include Teleport Pro for window systems (URL: http://www.tenmax.com/teleport/pro/home.htm) and wget for Unix systems (URL: http://www.gnu.org/manual/wget ). Here I will analyze the content in the file after wget and TeleportPro attack the web server. The two software can quickly search for the entire website and request all public webpages. As long as you check the record file, it is very easy to interpret the image action. The following are IIS record files:

16:28:52 11.1.2.80 GET/Default. asp 200

16:28:52 11.1.2.80 GET/robots.txt 404

16:28:52 11.1.2.80 GET/header_protecting_your_privacy.gif 200

16:28:52 11.1.2.80 GET/header_fec_reqs.gif 200

16:28:55 11.1.2.80 GET/photo_contribs_sidebar.jpg 200

16:28:55 11.1.2.80 GET/g2klogo_white_bgd.gif 200

16:28:55 11.1.2.80 GET/header_contribute_on_line.gif 200

Note: The host 11.1.2.80 is a Unix client that sends a request using wget software.

16:49:01 11.1.1.50 GET/Default. asp 200

16:49:01 11.1.1.50 GET/robots.txt 404

16:49:01 11.1.1.50 GET/header_contribute_on_line.gif 200

16:49:01 11.1.1.50 GET/g2klogo_white_bgd.gif 200

16:49:01 11.1.1.50 GET/photo_contribs_sidebar.jpg 200

16:49:01 11.1.1.50 GET/header_fec_reqs.gif 200

16:49:01 11.1.1.50 GET/header_protecting_your_privacy.gif 200

Note: The 11.1.1.50 system is the client in the window environment and uses TeleportPro to send a request.

Note: The robots.txt file is required for both of the above two websites. In fact, this file is a Webpage Administrator tool to prevent wget and TeleportPro Automatic File capture software from crawling or searching some webpages. If someone asks for the robots.txt file, it usually means to mirror the entire website. However, teleportproand wgetcan cancel the function of the file robots.txt. Another way to detect Mirroring is to see if there are resource requirements repeatedly raised by the same client IP address.

Hackers can also use web vulnerability audit software: Whisker (Web site: http://www.wiretrip.net/), to detect web server security backdoor (mainly to check whether there is cgi-bin program, this type of program can cause system security vulnerabilities ). The following are some of the record files generated by the IIS and Apache Web servers after the Whisker is executed.

IIS:

13:17:56 11.1.1.50 GET/SiteServer/Publishing/viewcode. asp 404

13:17:56 11.1.1.50 GET/msadc/samples/adctest. asp 200

13:17:56 11.1.1.50 GET/advworks/equipment/catalog_type.asp 404

13:17:56 11.1.1.50 GET/iisadmpwd/aexp4b. htr 200

13:17:56 11.1.1.50 HEAD/scripts/samples/details. idc 200

13:17:56 11.1.1.50 GET/scripts/samples/details. idc 200

13:17:56 11.1.1.50 HEAD/scripts/samples/ctguestb. idc 200

13:17:56 11.1.1.50 GET/scripts/samples/ctguestb. idc 200

13:17:56 11.1.1.50 HEAD/scripts/tools/newdsn.exe 404

13:17:56 11.1.1.50 HEAD/msadc/msadcs. dll 200

13:17:56 11.1.1.50 GET/scripts/iisadmin/bdir. htr 200

13:17:56 11.1.1.50 HEAD/carbo. dll 404

13:17:56 11.1.1.50 HEAD/scripts/proxy/403

13:17:56 11.1.1.50 HEAD/scripts/proxy/w3proxy. dll 500

13:17:56 11.1.1.50 GET/scripts/proxy/w3proxy. dll 500

Apache:

11.1.1.50--[08/Mar/2001: 12: 57: 28-0700] "GET/cfcache. map HTTP/1.0" 404 266

11.1.1.50--[08/Mar/2001: 12: 57: 28-0700] "GET/cfide/Administrator/startstop.html HTTP/1.0" 404 289

11.1.1.50--[08/Mar/2001: 12: 57: 28-0700] "GET/cfappman/index. cfm HTTP/1.0" 404 273

11.1.1.50--[08/Mar/2001: 12: 57: 28-0700] "GET/cgi-bin/HTTP/1.0" 403 267

11.1.1.50--[08/Mar/2001: 12: 57: 29-0700] "GET/cgi-bin/dbmlparser.exe HTTP/1.0" 404 277

11.1.1.50--[08/Mar/2001: 12: 57: 29-0700] "HEAD/_vti_inf.html HTTP/1.0" 404 0

11.1.1.50--[08/Mar/2001: 12: 57: 29-0700] "HEAD/_ vti_pvt/HTTP/1.0" 404 0

11.1.1.50--[08/Mar/2001: 12: 57: 29-0700] "HEAD/cgi-bin/webdist. cgi HTTP/1.0" 404 0

11.1.1.50--[08/Mar/2001: 12: 57: 29-0700] "HEAD/cgi-bin/handler HTTP/1.0" 404 0

11.1.1.50--[08/Mar/2001: 12: 57: 29-0700] "HEAD/cgi-bin/wrap HTTP/1.0" 404 0

11.1.1.50--[08/Mar/2001: 12: 57: 29-0700] "HEAD/cgi-bin/pfdisplay. cgi HTTP/1.0" 404 0

The key to detecting such attacks lies in sending a large number of 404 HTTP status codes from a single IP address. You only need to pay attention to this type of information, and you can analyze the resources requested by the other party. As a result, they desperately need to provide cgi-bin scripts (cgi-bin directory of the Apache server; scripts directory of the IIS server ).

Summary

If a webpage is visited, what clues will be left in the record file. If the website administrator is alert-sensitive, the analysis record file should be used as a trace. When a website is found to have a vulnerability after the inspection, the website administrator can be predicted to be attacked by hackers.

Next, I want to demonstrate two common web server attack methods to you to analyze whether the server is under attack