Search for hacker traces in Web server records

Source: Internet
Author: User
Tags apache log microsoft iis

Abstract: This article mainly describes how to analyze Web server records, find clues about hacker attacks in many records, and provide specific examples for the two popular Web servers.

Today's network and security have been paid more and more attention by everyone. when building a network security environment, we have gradually strengthened technical means and management systems, set up firewalls, and installed intrusion detection systems. However, network security is an all-around problem. Ignoring which one will cause the bucket effect will make the entire security system virtual. This article analyzes the Web server's logging to identify vulnerabilities and prevent attacks, so as to enhance Web server security.

Web services are the most and most abundant services provided by the Internet, and various Web servers are naturally the most attacked. We have adopted many measures to prevent attacks and intrusions, viewing Web server records is the most direct, common, and effective method. However, logging records are very large and it is very cumbersome to view logging records. If you cannot grasp the key points, attack clues are easily ignored. Next we will conduct an attack experiment on Apache and IIS, the two most popular Web servers, and then find the clues of the attack in a large number of records, so as to take appropriate measures to strengthen prevention.

1. Default web records

For IIS, the default record is stored in c: winntsystem32logfilesw3svc1. The file name is the date of the day. The record format is the standard W3C extended record format and can be parsed by various record analysis tools, the default format is time, visitor IP address, and access method (GET or POST ...) , Requested resources, HTTP status (expressed in numbers), and so on. For the HTTP status, we know that 200-299 indicates that the access is successful; 300-399 indicates that the client response is required to meet the request; 400-499 and 500-599 indicate that the client and server have an error; for example, 404 indicates that the resource is not found, and 403 indicates that the access is forbidden.

By default, Apache records are stored in/usr/local/apache/logs. The most useful record file is access_log. The format includes the Client IP address and personal ID (generally empty), user name (if authentication is required), access method (GET or POST ...) , HTTP status, number of transmitted bytes, and so on.

2. Collect information

We simulate the common mode in which hackers attack servers. First, we collect information and then execute intrusion step by step through remote commands. The tool we use is netcat1.1 for windows, the Web Server ip address is 10.22.1.100, and the client IP address is 10.22.1.80.

C:> nc-n 10.22.1.100 80
Headers/HTTP/1.0
HTTP/1.1 200 OK
Server: Microsoft-Microsoft IIS/4.0
Date: Sun, 08 Oct 2002 14:31:00 GMT
Content-Type: text/html
Set-Cookie: ASPSESSIONIDGQQQQQPA = ihojarjdecollgibnkmceeed; path =/
Cache-control: private

The IIS and Apache logs are shown as follows:

IIS: 15:08:44 10.22.1.80 HEAD/Default. asp 200
Linux: 10.22.1.80--[08/Oct/2002: 15: 56: 39-0700] "HEAD/HTTP/1.0" 200 0

The above activities seem to be normal and will not have any impact on the server, but this is a prelude to normal attacks.
3. Web site Images

Hackers often mirror a site to attack servers. Commonly used tools for mirroring include Teleport pro in Windows and Wget in Unix.

Next we will look at the information in the server record after using these two tools:

16:28:52 10.22.1.80 GET/Default. asp 200
16:28:52 10.22.1.80 GET/robots.txt 404
16:28:52 10.22.1.80 GET/header_protecting_your_privacy.gif 200
16:28:52 10.22.1.80 GET/header_fec_reqs.gif 200
16:28:55 10.22.1.80 GET/photo_contribs_sidebar.jpg 200
16:28:55 10.22.1.80 GET/g2klogo_white_bgd.gif 200
16:28:55 10.22.1.80 GET/header_contribute_on_line.gif 200
16:49:01 10.22.1.81 GET/Default. asp 200
16:49:01 10.22.1.81 GET/robots.txt 404
16:49:01 10.22.1.81 GET/header_contribute_on_line.gif 200
16:49:01 10.22.1.81 GET/g2klogo_white_bgd.gif 200
16:49:01 10.22.1.81 GET/photo_contribs_sidebar.jpg 200
16:49:01 10.22.1.81 GET/header_fec_reqs.gif 200
16:49:01 10.22.1.81 GET/header_protecting_your_privacy.gif 200

10.22.1.80 is a Unix client that uses Wget, and 10.22.1.81 is a Windows client that uses Teleport pro. all requests to the robots.txt file, and robots.txt is used to request files not mirrored. The requests to the robots.txt file indicate that there is an image attempt. Of course, on the Wget and Teleport proclients, You can manually disable access to the robots.txt file. In this case, you can identify whether there are duplicate resource requests from the same IP address.

4. Vulnerability Scanning

With the development of attacks, we can use Web vulnerability check software, such as Whisker, to check known vulnerabilities, such as security risks caused by cgi programs. The following is a record of IIS and Apache running Whisker1.4:

IIS
12:07:56 10.22.1.81 GET/SiteServer/Publishing/viewcode. asp 404
12:07:56 10.22.1.81 GET/msadc/samples/adctest. asp 200
12:07:56 10.22.1.81 GET/advworks/equipment/catalog_type.asp 404
12:07:56 10.22.1.81 GET/iisadmpwd/aexp4b. htr 200
12:07:56 10.22.1.81 HEAD/scripts/samples/details. idc 200
12:07:56 10.22.1.81 GET/scripts/samples/details. idc 200
12:07:56 10.22.1.81 HEAD/scripts/samples/ctguestb. idc 200
12:07:56 10.22.1.81 GET/scripts/samples/ctguestb. idc 200
12:07:56 10.22.1.81 HEAD/scripts/tools/newdsn.exe 404
12:07:56 10.22.1.81 HEAD/msadc/msadcs. dll 200
12:07:56 10.22.1.81 GET/scripts/iisadmin/bdir. htr 200
12:07:56 10.22.1.81 HEAD/carbo. dll 404
12:07:56 10.22.1.81 HEAD/scripts/proxy/403
12:07:56 10.22.1.81 HEAD/scripts/proxy/w3proxy. dll 500
12:07:56 10.22.1.81 GET/scripts/proxy/w3proxy. dll 500

Apache
10.22.1.80-[08/Oct/2002: 12: 57: 28-0700] "GET/cfcache. map HTTP/1.0" 404 266
10.22.1.80-[08/Oct/2002: 12: 57: 28-0700] "GET/cfide/Administrator/startstop.html HTTP/1.0" 404 289
10.22.1.80-[08/Oct/2002: 12: 57: 28-0700] "GET/cfappman/index. cfm HTTP/1.0" 404 273
10.22.1.80-[08/Oct/2002: 12: 57: 28-0700] "GET/cgi-bin/HTTP/1.0" 403 267
10.22.1.80-[08/Oct/2002: 12: 57: 29-0700] "GET/cgi-bin/dbmlparser.exe HTTP/1.0" 404 277
10.22.1.80-[08/Oct/2002: 12: 57: 29-0700] "HEAD/_vti_inf.html HTTP/1.0" 404 0
10.22.1.80-[08/Oct/2002: 12: 57: 29-0700] "HEAD/_ vti_pvt/HTTP/1.0" 404 0
10.22.1.80-[08/Oct/2002: 12: 57: 29-0700] "HEAD/cgi-bin/webdist. cgi HTTP/1.0" 404 0
10.22.1.80-[08/Oct/2002: 12: 57: 29-0700] "HEAD/cgi-bin/handler HTTP/1.0" 404 0
10.22.1.80-[08/Oct/2002: 12: 57: 29-0700] "HEAD/cgi-bin/wrap HTTP/1.0" 404 0
10.22.1.80-[08/Oct/2002: 12: 57: 29-0700] "HEAD/cgi-bin/pfdisplay. cgi HTTP/1.0" 404
The key to checking this attack is that the same IP address has multiple 404 status requests to the cgi directory (IIS is scripts, Apache is cgi-bin. Check the program security in the corresponding cgi directory.

5. remote attacks

Next, we will take MDAC attacks against IIS as an example to learn the records of remote attacks in the log. The MDAC vulnerability allows attackers to execute any command on the Web server.

17:48:49 10.22.1.80 GET/msadc/msadcs. dll 200
17:48:51 10.22.1.80 POST/msadc/msadcs. dll 200

When an attack occurs, the msadcs. dll request is recorded in the log.

Another famous attack is the vulnerability of asp source code leakage. When such an attack occurs, the log file will have the following records:

17:50:13 10.22.1.81 GET/default. asp +. htr 200

For unauthorized access attack records, the Apache log displays:

[08/Oct/2002: 18: 58: 29-0700] "GET/private/HTTP/1.0" 401 462

6. Summary

Managing a secure website requires system administrators to have security knowledge and vigilance. Understanding security knowledge from different channels can not only deal with existing attacks, it can also effectively prevent attacks. It is very important but often overlooked to understand and prevent attacks through Log files.

IDS (Intrusion Detection System) can help you a lot, but it cannot completely replace security management. Check the Log carefully. The missing items of IDS may be found here.

 

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.