Web logs are an important basis for determining server security. They can be used to analyze and determine whether a server is intruded, and use them to perform reverse tracking on attackers. Therefore, Web Log attackers tend to remove logs quickly.
I. Common tactics for attackers to clear logs
1,WebLogs in the server system
Take a Web Server on Windows Server 2003 as an example. Its logs include security logs, system logs, application logs, WWW logs, and FTP logs. For the first three types of logs, enter eventvwr. msc in "Start> Run" to open the Event Viewer. The WWW log and FTP log are stored in the hard disk as log files.
(1) Security Log File: C: \ WINDOWS \ system32 \ config \ SecEvent. Evt
(2) System Log File: C: \ WINDOWS \ system32 \ config \ SysEvent. Evt
(3) program Log File: C: \ WINDOWS \ system32 \ config \ AppEvent. Evt
(4) Default FTP Log location: C: \ WINDOWS \ system32 \ Logfiles \ MSFTPSVC1
(5) default location of WWW logs: C: \ WINDOWS \ system32 \ Logfiles \ W3SVC1
2Illegal log clearing
These logs cannot be deleted when the server is running normally. To delete FTP and WWW logs, stop the two services and then delete the log files, attackers generally do not. System and Application logs are supported by the Event Log of the daemon service, but cannot be stopped. Therefore, Log files cannot be deleted directly. After attackers take down the Web server, they usually use tools to clear logs. The main tools used are CL and CleanIISLog.
(1) ExploitationCLThoroughly clear logs
This tool can completely clear IIS logs, FTP logs, scheduled task logs, system logs, and security logs. It is easy to use.
Enter "cl-logfiles 127.0.0.1" under the command to clear Web server logs related to Web and FTP and scheduled tasks. The principle is to stop FTP, WWW, and Task Scheduler services before deleting logs, and then start the three services.
This tool can also selectively clear the corresponding logs. For example, entering "cl-eventlog All" will clear system-related logs on the Web server. In addition, this tool supports remote cleanup, which is often used by attackers. First, they run the "net use \ ip \ ipc $ password/user: username" command to establish an IPC management connection with the server as the administrator, then run the "CL-LogFile IP" command to remotely clean up service logs.
(2) ExploitationCleanIISLogSelective cleaningIISLogs
For example, if an attacker takes down the server through Web injection, all the intrusion traces (IP addresses) remain in the IIS log. They only use this tool to clear the IP addresses in the IIS log, so that the other administrator will not be confused.
Run "CleanIISLog. IP" in the command to clear the connection records of this IP address in the IIS log and keep other IP address records. If the management takes precautions, such as modifying the IIS Log Path, attackers can also clear the log path using this tool. The operation is, run "CleanIISLog IIS Log Path IP Address" on the command line to clear the IP records of the specified IIS path.
2. Create a log server to protect logs
The preceding demonstration shows that it is very insecure to save server logs locally. Besides, it is very troublesome to view logs if there are many servers in the enterprise. Based on the above considerations, a dedicated log server is created, which facilitates the backup of server logs and facilitates centralized management.
The author's practice is to set up an FTP server for collecting and backing up logs. You can use specialized tools or scheduled tasks on the server to automatically upload and back up logs. This part of content is relatively simple and I will not demonstrate it. In fact, you can not only back up server logs to a dedicated log server, but also back up logs of network devices.
Take a vro as an example. First, set it on it, specify the server that records logs, and transmit the log data to the FTP server through the FTP protocol. Setting up an FTP server can use FTP or Serv-u of IIS. However, I think FTP of IIS is not convenient enough for permission allocation, and Serv-u has many vulnerabilities. Therefore, TYPSoft FTP is recommended.
1, Set up a log server
TYPSoft ftpis the green software. After downloading the software, double-click the ftpserv.exe file and start the typsoft fip main program. After starting, click "Settings> User" in the menu of the main interface to create a new account log. In the user interface, set the User Password corresponding to the log account and the log storage directory, and click "save" to make the settings take effect, so that the log server is ready.
2, Specify the log server
After the LOG server is set up, you only need to specify the server address to save the LOG through the SYSLOG or LOG command in the corresponding network settings, add the configured account name and password to complete the transmission configuration. The following describes how to configure and specify a log server on the cisco00009 device.
Log on to the device normally and enter logging 192.168.1.10 in global configuration mode. This means to specify the log server address 192.168.1.10 on the vro. Then, enter logging trap, which means to set the log server to receive the content and start logging. The traps can be followed by parameters 0 to 7. Different levels correspond to different situations and can be selected based on the actual situation. If you directly use logging trap to record all the logs. After the configuration is complete, the routing switch device can send log information so that the problem can be detected and solved immediately. The IP address of the log server, as long as it can ping the IP address of the log server on the routing switch device, does not have to be limited to the same network segment. Because FTP is a TCP/IP protocol, it can span network segments.