By default, the web site uses port 80 as the service port, and various security issues are constantly released. Some of these vulnerabilities even allow attackers to gain system administrator privileges to access the site, the following is a study of Zenomorph's trace of port 80 attack methods, and shows you how to identify problems from log records. The following section describes in detail some columns used to show the common attacks against web servers and their applications, and the traces left by these columns. These columns only represent the main attack methods, not all attack forms are listed. This section details the role of each attack and how it uses these vulnerabilities for attacks. (1) "." "..." and "..." These attack traces are widely used in web applications and web servers. They are used to allow attackers or worms to change the web server path and access non-public areas. Most CGI program vulnerabilities contain these "..." requests. Example: http://host/cgi-bin/lame.cgi?file=../../../../etc/motd This column shows how attackers can request the mosd file. If attackers can break through the root directory of the web server, they can obtain more information and further privileges. (2) "% 20" request % 20 indicates the hexadecimal value of the space. Although this does not represent what you can use, it will be found when you browse the log, this character may be effectively executed in applications running on some web servers. Therefore, you should carefully check the log. On the other hand, this request can sometimes help execute some commands. Example: http://host/cgi-bin/lame.cgi?page=ls%20-al │ This column shows how attackers execute a unix Command to list the files in the entire directory of the request. As a result, attackers can access important files in your system and further obtain privileges to provide conditions. (3) "% 00" request % 00 indicates a hexadecimal Null Byte, which can be used to fool web applications and request different types of files. Examples: http://host/cgi-bin/lame.cgi?page=index.html This may be a valid request on this host. If the attacker notices that the request is successful, he will further look for the cgi program. http://host/cgi-bin/lame.cgi?page=../../../../etc/motd The cgi program may not accept this request because it needs to check the suffix of the request file, such as html.shtml or another type of file. Most programs tell you that the requested file type is invalid. In this case, it tells the attacker that the requested file must be a file type with a certain character suffix. In this way, attackers can obtain the system path and file name, resulting in more sensitive information in your system. http://host/cgi-bin/lame.cgi?page=../../../../etc/motd % 00 html pay attention to this request. It will defraud cgi programs to think this file is a definite acceptable file type. Some applications are stupid in checking valid request files, this is a common method for attackers. (4) "│" the request is a pipeline character, which is used in unix to help execute multiple system commands simultaneously in one request. Example: # cat access_log │ grep-I ".. "(This command will display" .. "requests are often used to detect attackers and worms.) You can often see that many web applications use this character, which also leads to alarms of errors in IDS logs. This is advantageous in the careful check of your program, which can reduce the alarm of errors in the intrusion detection system. The following are some columns: http://host/cgi-bin/lame.cgi?page=../../../../bin/ls │ This request command is executed. Below are some changed columns. http://host/cgi-bin/lame.cgi?page=../../../../bin/ls % 20-al % 20/etc │ this request lists all the files in the/etc directory on unix systems http://host/cgi-bin/lame.cgi?page=cat%20access_log │ Grep % 20-i % 20 "lame" Requests the execution of the cat command and the grep command will also be executed. The "lame" (5) "is queried." The request is on a unix system, this character allows multiple commands to execute Example: # id; uname-a in one line (after the id command is executed, the uname command is followed). Some web programs use this character, warning that may cause failure in your IDS log. You should carefully check your web application to reduce the probability of your IDS alarm failure. (6) "" The request should check the two characters in your log record. Among the many reasons, the first one is that this Example shows how to add data in the file Example 1: # echo "your hax0red h0 h0">/etc/motd (the request write information is in the motd file) an attacker can easily tamper with your web page with the request above. For example, the famous RDS exploit is often used by attackers to change the web homepage. Example 2: http://www.bkjia.com /Something. php = Hi % 20mom % 20Im % 20 Bold! You will notice the mark of the html language, which also uses the characters "<", ">". Such attacks cannot cause attackers to access the system, it confuses people to think that this is a legitimate information on the web site (which leads to access the address set by the attacker when accessing this connection, this kind of request may be converted into a hexadecimal encoded character form, making the attack trace less obvious) (7 )"!" Server Side Include (SS) I attacks are commonly used in requests. If attackers confuse users and click the connections set by the attackers, the attacks are the same as those above.