Doing well the intrusion detection of the server

Source: Internet
Author: User

Intermediary transaction SEO diagnosis Taobao guest Cloud host technology Hall

I believe that everyone has been suffering from the virus, the following is my Self-learning programming network reproduced over, see, feel good, so special to the webmaster friends,

Intrusion detection is not only a very important day-to-day management of the server, but also the skills that managers must master. The following author and everyone, a lot of attack, discerning the intrusion detection server.

1. View server Status

Deploy the Performance monitoring tool to implement real-time monitoring of the server this should be the standard configuration of the server. I recommend Netfox this server monitoring tool, through which you can set "Web/ping", "Ftp/mail", "Mail Detection", "Space detection" and other monitoring items. Alerts are issued when a server performance exception occurs to prompt the administrator to handle it. In addition, when the server is not local, the administrator can set up a mobile phone SMS report, to use the administrator to remotely understand the server's running state, when the server exception can be taken as soon as possible appropriate measures. (Figure 1)


Figure 1

If everyone's server does not deploy such tools, it can also be viewed through the process manager. Under its Performance tab, you can visually see the server's CPU, physical memory, and virtual memory usage to determine if there are any exceptions, such as high CPU and memory consumption. Under its "Networking" tab, you can view the network usage of the current server's NIC in real time to determine if there are unusual traffic.

2. Check the current process

The server's intrusion detection process is a very important one that allows you to see if a program that is suspicious is running on the server. Although Windows Server 2003 is a process viewer, it is less functional and powerless to insert normal system processes or hidden processes through hooks or rootkit. The author recommends a tool similar to the IceSword (ice blade) to help administrators find hidden processes by viewing the threads of the process and the module information that the process calls. (Figure 2)


Figure 2

In general, administrators can view server process conditions entirely through Task Manager, and the server's current explicit process is at a glance under its processes tab. If screening is a risky process, the administrator needs to know more about the process of the system or the processes it uses. For a process that is uncertain or does not know which application is open on the server, you can search for the process name on the network to determine. For example, you can view the "process Knowledge Base" ( The site provides a more detailed list of system processes, application processes, and processes that have security risks. Of course, the process of viruses and Trojans can be changed by attackers, but they often make a fuss about the process name in order to achieve the goal, and generally take a name similar to the system process. Usually the trick is to change the letter O for the number 0, variable letter L for the number 1, such as Svch0st.exe, Exp1orer.exe, etc., at this time to be carefully identified. (Figure 3)


Figure 3

3. Check the SYSTEM account number

When an attacker is invading a server, it is often necessary to create a system account to achieve late control, which is often the Administrator group. For example, typing command "NET user LW" test168 "Add & net localgroup Administrators Lw/add" (without quotes) creates an administrator user named LW with password test168. For such users, the administrator can either tap "NET user" at the command prompt (Cmd.exe) or open Computer Management, and expand Local users and groups to see if the Administrators group has an unknown account added to determine the intrusion.

Of course, a cunning intruder would not do that, and they would hide their accounts in various ways. Its commonly used trick is nothing more than four kinds.

(1). Activate the guest user of the server and add it to the Administrators group. For this, the administrator must see if there is a guest user in the Administrators group. If present, the server is almost certain to be invaded.

(2). Create a hidden account. An intruder adds "$" to the back of the account, such as changing the above command to "net user lw$" test168 "Add & net localgroup Administrators lw$ add", creating a lw$ user who at the command prompt (cmd.exe) the "net User" command is not visible, but can be seen in local users and groups.

(3). Clone account. This should be the most commonly used by intruders, who often clone an administrator account that is highly hidden, regardless of the "Sam" item at the command prompt, local Users and Groups settings registry. In this way, the administrator must have the tools to see if the system has a cloned account. I recommend MT.EXE,MT is a lot of anti-virus software defined as Trojan, but also an attacker to the preferred tool for account cloning, but it can also allow the system to clone the current account.

At the command prompt, enter the MT directory input command: Mt-chkuser. After the command is entered, the results are printed on the screen, mainly viewing Expectedsid and checkedsid, and if the two values are different, the account is cloned. In this example, you can see that the account simeon$ Checkedsid is the same as the CHECKEDSID value of the administrator, indicating that simeon$ cloned the administrator account. (Figure 4)


Figure 4

(4). Rookit account. The account created through Rootkit has all the features hidden by the clone account, and also has a very high concealment. For such a dangerous account purge first to clear the system Rookit program, only to clear it, all hidden accounts will be visible. I recommend tool rootkit Hook Analyzer, which can analyze the rootkit program in the detection system and display it in red, and then the administrator can end it. (Figure 5)


Figure 5

4. View current Port Opening

Now the enterprise's server is generally dedicated, such as Web, FTP, SQL are independent, for such a single server only open its application port, if there is a strange connection or listening to the port will be increased vigilance. For a comprehensive server, there are also many open ports due to the services it undertakes. View the ports that are currently open the author recommends using specialized tools such as Activeport.

After running Activeport, the server's current port connection situation at a glance, as an administrator to pay special attention to the server and external connectivity, to see if there is an unauthorized port with the outside world in communication. If so, close the port immediately and record the corresponding program for the port, and transfer the program to another directory for later analysis. At this point you can use the "ice blade" and other process management tools to view, end the suspicious connection process, and then navigate to the program directory for killing. (Figure 6)


Figure 6

Of course, Windows Server 2003 also has commands for viewing related connection ports. Enter "Netstat-ano" at the command prompt to view the network connection status to the current server. If the server is connected more to see the connection in progress, you can filter, enter the command "Netstat-ano |find" established. You can see a 3389 connection in Figure 7, where you can enter the command "query user" at the command line to see who is connected to the server, thereby kicking the intruder through the command "Logoff 1" (1 is the remote connection user ID). Of course, you can also view it under the Users tab of the Task Manager. (Figure 7)


Figure 7

In addition, an administrator can detect the port status of the server and its security vulnerabilities, so that it can at least defend against malicious users who only use tools to attack. The author recommends tool Xscan_gui, a tool that attackers scan servers before they attack them. The administrator can use this tool to carry on a security detection to the server, just enter the server's IP before scanning and check the corresponding detection module.

5. Check System Services

After the attack on the server, the attacker will often upload a Trojan server to achieve remote control of the servers. The server of these Trojans is often in the form of service with the system started and run. The Trojan server detection can be achieved through the system's "service" tool.

Run services.msc, check the service in the started state, see if there is a new unknown service and determine the purpose of the service. For a service that is not clear, open the properties of the service, see what the executable file corresponds to the service, and if you are sure that the file is a normal file within the system, you can leave it at a glance. See if there are any other normal open service dependencies on the service, and if so, can be roughly spared. If you cannot determine if the execution file is a normal system file and there are no other normal open services dependencies on the service, you can temporarily stop the service and test that the various applications are normal. For some backdoor because of the use of the Hook system API technology, added service items in the Service Manager is not visible, you need to open the registry hkey_local_machine\system\currentcontrol\ Setservices items to find, by looking at the name of each service, the corresponding execution file to determine whether it is a backdoor, trojan program.

It should be reminded that the server side of these Trojans can be set up before they are built. such as server-side running process after the name, the release of the directory, the description of the servers, so the administrator must be carefully identified. (Figure 8)


Figure 8


6. View related log

There are many classes of logs in the server, and the author considers intrusion detection to be the first "security" log that records the details of a user (local or remote) system. In addition, such as DNS, IIS, which are related to services running in the server, are particularly noted in intrusion detection.

Run Eventvwr.msc, click "Security" to see security-related logs on the right. For example, the first log shows that LW users in the 2008-6-21 12:46:23 remote Login System Figure 9, if the administrator himself did not log in or the system does not have the user, it can be concluded that the server was invaded. (Figure 9)


Figure 9

The log information in the server is often very much, to the analysis of so many log information is obviously impossible, we can right-click on the log to select Properties, in the filter set a log filter to filter according to their needs, filtering useless information. If you want to analyze whether the web is compromised, you can open IIS Manager to navigate to its log file for viewing. However, web logs are so numerous that they need to be analyzed through specialized tools, such as "Web log Explorer", which is a good tool for viewing the IP of the browser and its IP access, downloading or modifying files, and so on. (Figure 10)


Figure 10

Because, the log will record the intruder's trail. All cunning intruders tend to operate the logs after the invasion, erasing the traces of the intrusion. Common means:

(1). Delete the log. This is the lowest level of practice, although the removal of the log, but also exposes the intruder himself. If so, the administrator can immediately conclude that the server was compromised by seeing that the log was deleted.

(2). Partial deletion. Some of the more sophisticated intruders will delete their own portions of the log after the invasion is over. If so, the administrator can implement the monitoring of the log protection, once found that the log has traces of deletion can be intrusion detection.

(3). Partial modification. This is the method used by some smart intruders who modify their own logs after the invasion to deceive administrators or blame, King. Yes, the administrator can take the same method, but also to carry out a certain analysis.

Finally, the author to a security enthusiast's point of view to recommend that the administrator must back up the server log.

7. Check System files

When an attacker succeeds in an intrusion or invasion, it makes a fuss over the system file to hide and protect the intrusion tool (usually a Trojan client). The main means is to replace the system files (EXE and DLL files) with the same name, or to implement system files and Trojan bundle.

Server intrusion detection in the detection of system files, the author recommends that the server system after installation with "dir *.exe/s >1.txt" to the system disk all the EXE file list to save. This allows the command to generate a list of current server system disk files and then compare two files with the FC command to detect suspicious files, similar to the method used for detecting DLL files. Note that the original list will be rebuilt once the patch is patched or the software is installed. Check if the related system files are replaced or if the system is installed a Trojan door and other malicious programs. (Figure 11)


Figure 11

For security detection of bundled system files, the author suggests that pure system files can be restored through the SFC command. If necessary, run an antivirus program to scan the system disk once.

8. Check to see if security policy changes

The server security level is high, and its default security policy restricts many of the attackers ' behavior, so they often adjust the server's security policy to take advantage of long-term server control during or after the intrusion. Therefore, security policy detection is also an important aspect of server intrusion detection.

Security policy detection mainly from the following aspects:

(1). Protocol Related: Open the properties of the local area connection to see if only the TCP/IP protocol is checked in general. Because a secure server other options are not needed, this may be what attackers need.

Article. TCP/IP Filtering: Open the TCP/IP protocol settings, click advanced → options, see if IP Security is a set IP policy, and see if the port allowed by the TCP/IP filter has been changed.

(3). IP Security Policy: In turn, open administrative tools → Local security policy to see if the IP Security policy currently in use has changed.

(4). Local policy: There are no changes to the user Rights assignment and security options related policies under local security policy to view local policies. For example, the "Local account with blank password only allow console logon" policy is "enabled" by default, and an attacker may change to "disabled" based on the need for a remote login. (Figure 12)


Figure 12

9. Check directory Permissions

Server, especially the Web, FTP server, administrator for disk, directory permissions are often strictly set. These settings reinforce the security of the server and limit the intrusion of attackers. Therefore, in the course of attack or after the attack is completed, the permissions of the directory are often adjusted to facilitate their later use. For example, when the attacker obtains the Webshell of a Web site, it is necessary to carry out further infiltration, rights, and other operations, which is a means of access to directory permissions. Therefore, the detection of disk, directory permissions is an important aspect of server intrusion detection. (Figure 13)


Figure 13

(1). disks, directories that need to check permissions are: System disk and other partitions,%windir%,%windir%\system32,%windir%\system32\inetsrv,%windir%\system32\inetsrvdata, "Documents Settings", if the virtual host should also have the directory of each Web site.

(2). For FTP servers deployed with Serv, you need to see if the permissions for the Serv installation directory have changed.

(3). Check the permissions of some important system commands under System32, which are: cmd, net, FTP, TFTP, cacls, etc.

10. Check Startup Items

After the attacker is in control of the server, will often upload a Trojan server, this service side in addition to registering as the system servers, and some will be added to the system startup items with the system started. Therefore, intrusion detection of the server is also a key to the launch of the site.

There are three main methods available for checking Startup items:

Reference. Msconfig tools. Run the tool, and under the Startup tab, you can see the programs that start with the system by simply canceling the check on the suspicious program startup.

(2). Regedit (registry) tool. Run the tool, and navigate to the following registry key to check:




The above key values appear in the Startup entry for Msconfig.




The above key values are more covert

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"Shell" = "Explorer. Exe,*.exe "

* For a virus or Trojan executable file, this method is very covert, by the current many viruses.

(3). Special tools. Such tools are more, such as Regrunfirst is good. You can see the startup program under this key after you run the click on the registry startup entry that is related to the left.

In addition, "C:\Documents and settings\administrator\" Start "menu \ Program \ Startup is also a more dangerous place. For example, an attacker obtains the Webshell of a Web server, has no command to execute permissions but has write permission to the directory, you can upload a trojan program to the directory and other server restart after the Trojan also ran. (Figure 14)


Figure 14

Summary: Above we from 10 aspects of the server intrusion detection, in fact, there is no need to carry out the actual combat, I just try to include all aspects of server intrusion detection. Without exception, the security of the server also follows the cask principle, its security often depends on its own most vulnerable place, so these places should become the focus of intrusion detection. I love 3gp movie net Don't forget __ __ ___.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.