Windows Server System log analysis and security

I. Using Windows-brought firewall logs to detect intrusions the following is a firewall log record 2005-01-1300:35:04opentcp61.145.129.13364.233.189.104495980 2005-01-1300:35:04: Indicates the date time of the record open: Indicates that the connection is opened, and if this is close means that the connection is closed TCP: Indicates that the protocol used is TCP 61.145.129.133: Indicates the local IP 64.233.189.104: Represents a remote IP 4959: Represents a local port 80: Represents a remote port. Note: If the port here is not 80, 21 and other common ports then you should pay attention. Each open represents a record that corresponds to a close record, and compares two records to calculate the time of the connection.

Note that to use this item, you need to check the "Log successful connection" option in the Security log option of the firewall that comes with Windows.

Ii. detection of intrusion attacks through IIS logs

1. Understanding IIS logs IIS logs are stored by default in the System32\logfiles directory, using the expanded format. Below we know its format by a log record 2005-01-0316:44:57218.17.90.60get/default.aspx-80-218.17.90.60mozilla/4.0+ (Compatible;+msie +6.0;+windows+nt+5.2;+.net+clr+1.1.4322) 20000

2005-01-0316:44:57: Is the time to indicate the record;

218.17.90.60: Indicates the IP address of the host;

Get: Represents the way to get a Web page/default.aspx: The name of the Web page you are browsing, and if the content is not the name of your Web page, it means someone might be testing your site with an injected attack. such as: "/msadc/. Wax.. Wax.. Wax.. /winnt/system32/cmd.exe/c+dir "The text in this format appears after the page you browsed to indicate if an attacker tried to access your system directory.

-80: Indicates the port of the server.

-218.17.90.60: Represents the IP address of the client. If you have a large number of connections to the site at a certain time or at different times, you should pay attention.

mozilla/4.0+ (compatible;+msie+6.0;+windows+nt+5.2;+.net+clr+1.1.4322): Version information for the version of the operating system that represents the user's browser

200: Indicates a successful browse, if 304 for redirection. If this is 404, then the client error does not find the Web page, and if the server does not have a problem but a large number of 404 errors also indicates that someone might be testing your site with an injection attack.

2, the method of detecting IIS log The format of the IIS log, you can go to find the whereabouts of the attackers. But it is almost impossible to manually check each piece of data, so we can use Windows itself to provide a command findstr. The following is an example of how to find the cmd field in the January 1, 05 log to illustrate its use. IIS log path is set to d\w3c cmd prompt input: findstr "cmd" d\w3c\ex050101.log carriage return. How the same IP appeared a lot, then you have to pay attention! Here are some of the sensitive characters I wrote, for reference only, you can customize your own sensitive characters according to your own system, Web page, of course, if you make a batch command based on these characters is more convenient. cmd, ', \ \ 、..、;, and, Webconfig, Global,

If you feel findstr function is not intuitive and powerful, you can AutoScanIISLogFilesV1.4 tools. It uses a graphical interface to detect multiple files at once. :http://www.11k.net/Software/View-Software-1585.html

If you feel that the information in these IIS logs is not enough, then you can make a hidden web page, usually landing on the site will be directed to the page, and then you can add code to the page, to obtain the user's IP, operating system, computer name and other information. and enter it into the database, so that even if an attacker uses a dynamic IP as long as he does not change the system, even if the IIS logs are deleted, you can also find them.

Third, check the security log to see if there is a successful intrusion if you enable login events, policy changes, account logins, and successful failure audits of system events, any successful intrusions will leave traces in the security log.

Recommended Practice:

1, it is recommended to check the security log at least once a day. ID of the recommended key check event 529: Login failed, attempt to log in with unknown user name or a known username with an incorrect password. 528: The user successfully logged on to the computer. 539: Login failed: The login account was locked when the login attempt was attempted. This event indicates that a password attack was initiated but was unsuccessful, thus causing the account to be locked

682: The user reconnected to a Terminal server session that has been disconnected. Terminal Services Attack 683: The user disconnects from the Terminal Server session without logging off. Terminal Services attacks

624: A user account is created. 625: User account Type 626: User account Enabled 629: User account Disabled 630: Deleted user account 5 events above may be an attempt by an attacker to conceal their traces by disabling or deleting the account used to launch the attack.

577: The user attempted to perform a rights-protected system service operation. 578: Use permissions on protected object handles that are already open. 577, 578 event details in the privilege Description SeTcbPrivilege privilege: This event can indicate that a user tries to elevate security permissions by acting as part of the operating system, such as when a user tries to add his or her account to the Administrators group to use this privilege SeSystemtimePrivilege Privilege: Change the system time. This event can indicate that a user has attempted to change the system time SeRemoteShutdownPrivilege: Force shutdown from the remote system SeLoadDriverPrivilege: Load or unload the driver SeSecurityPrivilege: Manage auditing and security logs. An event in which the event log is purged or written about privilege usage to the security log occurs SeShutdownPrivilege: shutting down the system SeTakeOwnershipPrivilege: Take ownership of a file or other object. This event can indicate that an attacker is attempting to bypass the current security settings by taking ownership of an object

517: Log events are purged or modified. This event can indicate an attacker attempting to mask their traces by modifying or deleting log files 612: Changed the audit policy. This event can indicate an attacker attempting to cover their tracks by modifying an audit policy, such as to conceal traces of deleted log files. He may turn off auditing of system events first.

2, through the filter to see the importance of event method: Click on the Event Viewer window of the View menu, click Filter, click Filter, define your own filtering options, OK.

3, after viewing the Backup event method: Click the Action menu in the Event Viewer window, click Export List, choose Save path and file name, if the save type selected "Text File (Tab delimited)", will be saved as a text file. If the Save type selected text file (comma delimited), it will be saved as an Excel file. Alternatively, you can choose to save the log file. If you feel like this is a hassle, you can also use the Dumpel.exe in Microsoft's Resourcekit Toolbox to schedule tasks to back up system logs regularly.

4, delete the checked log files, the fewer log files the more easily found problems.

5, with the System log program log to detect suspicious content

6. Using the EventCombMT tool EventCombMT is a powerful multithreaded tool that can analyze event logs from many servers at the same time, generating a separate thread of execution for each server included in the search criteria. With it you can define a single event ID or multiple event IDs to search, and a space grid to define the range of event IDs to search for. such as: 528>id<540 to limit the search to a specific event log. such as: Search only the security log to limit the search to specific event messages. For example, a successful audit restricts the search to a specific event source. Searches for specific text within the event description. Define a specific time interval to scan backwards from the current date and time Note: To use this tool you need to install Windowsserver2003resourcekittools. When the installation is complete, enter EventCombMT at the command prompt:/http Www.microsoft.com/downloads/details.aspx? FamilyID= 9d467a69-57ff-4ae7-96ee-b18c4790cffd&displaylang=en

Iv. detection of intrusion attacks via ports

The port is the attacker's favorite entry gate, so we have to get into the habit of viewing the port

1, through the netstat command. CMD prompt Netstat-ano: Detects the currently open port and displays the PID using the port program. Netstat-n: Detect the current active connection if the above command to find an unknown port open, not in the Trojan is the opening of new services. Processing method: Open Task Manager, select the column under the View menu, check the PID, click OK. Then, based on the PID used by the open port, find the program file name that uses the port in Task Manager. In Task Manager, kill the process. If the Task Manager prompt cannot be killed, you can use the NTSD command in the following format: C:\>ntsd-cq-ppid. If the process using the PID is not a separate program file, it is called svchost or LSASS (now there are a lot of Trojans that can do this). Then you need to have a lot of knowledge to find out. My experience is that there are several ways to work with

look for suspicious services that use Svchost or LSASS in the service. Enter tasklist/svc at the command prompt to view the PID and services associated with the process. Use process management in Windows Optimization Master to find the suspicious. dll in Svchost or LSASS. Check for the latest file under System32: Enter dir/od at the command prompt sytem32 path use the HijackThis tool to isolate the system-initiated program name and DLL file.:http://www.cl520.net/soft/3992.htm

If you don't know if you want to go to Google for a virus file after you find a suspect DLL

2, using Activeport software Activeport Software Installation is a graphical interface, it can display all open ports, the current active port, and can be the port, process, program name path associated. And you can use it to interrupt an active connection.

Five, through the process of monitoring suspicious programs if you find an abnormal process, kill it in time, if you can not kill in the task manager to find suspicious services, the service is closed and then kill, of course, you can also use the NTSD command at the prompt. Format is: ntsd-cq-ppid

Vi. using Svcmon.exe (Servicemonitoringtool) to monitor installed services

This tool can be used to monitor the state change of a local or remote computer service, and when it finds a service to start or stop, the tool will notify you by e-mail or ExchangeServer. To use this tool you need to install Resourcekit. But to Ms's website http://www.microsoft.com/downloads/details.aspx? FamilyID= 9d467a69-57ff-4ae7-96ee-b18c4790cffd&displaylang=en downloaded Resourcekit after installation did not find this tool, In fact, there are many tools this resourcekit not. Maybe this is a simple resourcekit package. It was later installed on the 2003 CD-ROM and SupportTools was not found. I used the 2000 Resourcekit installation CD, which is available on the 2003 after installation. But I used to find that the system will be unstable, so it is best to find 2003 Resourcekit installation CD. This tool consists of two parts, Svcmon.exe after you install the Resourcekit, the default is located in the C:\ProgramFiles\ResourceKit folder, you want to copy it to%SystemRoot%\System32, Then enter smconfig at the command prompt to open the Configuration Wizard. Is the graphical interface, note the exchangerecipients where you want to remind users of the email. Others follow the instructions to do it. If you find an unhealthy service you can use the format of the Instsrv.exe removal service in Resourcekit: Instsrvservicenameremove

Detection System32 system files after installing the system and after installing the new software to the System32 folder Backup, and then use the Comp command to periodically check the contents of the file to find suspicious folders or files. The comp command is used in the following format: command prompt compdata1data2/l/c data1 Specifies the location and name of the first file to compare. DATA2 Specifies the location and name of the second file to compare. /L displays a different number of rows. /C compares the case of a file without ASCII letters. Note: Ms's WinDiff tool can graphically compare two files

Viii. using Drivers.exe to monitor installed drivers now some attackers add Trojans to the driver, and we can detect them through the MS-provided drivers tool. On the computer where the tool is running, this tool displays all device drivers that are installed. The output of the tool includes information about the driver's file name, the size of the driver on disk, and the date that the driver was linked. The link date identifies any newly installed drivers. If an updated driver is not recently installed, it may indicate that this is a replaced driver. Note: The Drivers.exe tool does not have this tool in the windowsserver2003resourcekittools of the MS Web site download I am using the 2000.

Ix. checking Local Users and groups this is not to say too much, as we all know, it is important to note that if you use the command line netuser to view, you will not be able to see the hidden users (that is, the user name added $), so it is best to use the snap-in to view all users.

Ten, check the Web page file, especially with the database attached to the date of the file, now some attackers will be in the Web page code to leave the back door, so if the date changes, it should be noted.

XI. services, processes, ports 1, services that are started by default after IIS and SQL2000 are installed Server2003enterpriseedition, automaticupdate, Com+eventsystem, Computerbrowser, Cryptographicservices, Dhcpclient, Distributedfilesystem, distributedlinktracking, Distributedtransaction, Dnsclient, errorreporting, Eventlog, Helpandsupports, Ipsecservices, Logicaldiskmanager, NetworkLocation, PlugAndPlay, Printspooler, Remoteprocedurecall, RemoteRegistry, Secondarylogon, SecurityAccounts, Server, Systemeventnetification, TaskScheduler, Tcp/ipnetbios, TerminalServices, WindowsInstaller, Windowsmanagementinstrumentation, Windowstime, Wirelessconfig, Workstation.

The following are the newly launched services AddService, Com+systemapplication, Httpssl, Iisadminservice, Networkconnections, ProtectedStorage, Shellhardware, Wordwideweb.

The following are the newly added services Microsoftsearch, ntlmsecurity, MSSQLServer after installing SQL2000

2. Initiated processes Ctfmon:admin, wpabaln:admin, Explorer:admin, Wmiprvse, Dfssvc, Msdtc:networkservice, SPLOOLSV, LSASS, Conime: admin, Services,

Svchost:7 one of them localservice2, Networkservice1, Winlogon, Csrss, SMSS,

System, systemidleprocess. Total: 22 processes, where admin, NetworkService, LocalService indicates that the user name is not specified for the system user

The following are the newly added processes after installing IIS Wpabaln:admin, Inetinfo,

The following are the newly added processes after installing SQL MSSearch, Sqlmangr, Wowexecadmin, sqlservr

3. Open ports tcp:135, 445, 1025, 1026, 139 udp:445, 500, 1027, 4500, 123

The following is the newly added port tcp:80 after installing IIS, 8759 Note 8759 This port is a port that is automatically selected after the first installation, so each opportunity is different

The following is the newly added port after installing SQL

tcp:1433 udp:68, 1434

If you enable the firewall, the following ports are turned on tcp:3001, 3002, 3003 udp:3004, 3005

Original: http://os.51cto.com/art/201111/302961.htm

Windows Server System log analysis and security