Original download address: http://www.cnbct.org/iislog.doc
I have a lot of black stations, but I have never thought of being tracked. I didn't think about how to wipe my ass, I didn't expect my BBS when I was no longer black. Black. According to the original judgment, the BBS program is the LVBBS prepared by our BCT team member, there is no presence of upload vulnerabilities and SQL injection! Even if you can get permissions, you can get a WebShell. If you are not a loophole, you must be the security problem of the server. I used to take the black station all day long, this is fun, it is actually taken by others. Go to the black website. So, I have to find a network management, how do you know how to say my own question, I want to find me myself.
That I have to do a network management, if you are a network management, how will you find the source of the problem? The program problem will go to the "Event Viewer", if it is the IIS question, of course, the IIS log! The system folder's SYSTEM32 low logfile has all IIS logs to record all access records of the server. Because it is a user of the virtual host, each user configures a separate IIS log directory. You can find the intruder invading the BBS from the log file.
So download all the logs about the time period and analyze it, I found a lot of I don't know the information! Hahaha, this is how the invader invaded my BBS.
(Intrusion Diary 1)
From the first day, the log can find that the invaders have already delayed my BBS tiger. And more than one invader is so simple, there are a lot. The IIS log of the first day is all using the program to scan the junk data left in the background.
Looking at the logs can be found, intruder 61.145. ***. *** Using the program constantly scanning the background page, it seems to use the background login vulnerability to enter the BBS's background management layout. Unfortunately, this invader seems to have no idea, numbness use programs as helping to find the background, there is no effect of intrusion.
(Intrusion Log 2)
View the next day's log, starting there is still a special user access log, and when the problem is in the middle section, I found an IIS action record that uses the program to find the specified file.
From the above information, the invader 61.141. ***. *** also uses the program to scan the specified upload page to determine if the invasion target exists, and then performs the invasion of upload vulnerabilities. There is also the scanning utilization network default database. Some commonly used Trojan names, it seems that this invader still thought that my BBS is Ma Fang, scanning so many Trojan files can be a miracle. The continued movement is finally discovered, the invader 61.141. ***. *** The action recorded before the homepage of my website, first establish a myth.txt file in the FORUM folder directory, and then Forum's folder directory, it has become a Trojan Akk.asp
Under the log record, I saw all the operation records of the intruder using Akk.asp Trojans.
The detailed intrusion analysis is as follows:
Get /forum/akk.asp - 200
Generate akk.asp back door by using the WebShell of the next next to the website
Get /forum/akk.asp d = ls.asp 200
Intruder landing back door
Get /forum/akk.asp d = ls.asp & path = / test & lypath = & attrib = 200
Enter the Test folder
Get /forum/akk.asp d = E.ASP & path = / test / 1.asp & atttrib = 200
Use the back door in the Test folder to modify the 1.asp file get /forum/akk.asp d = ls.asp 200
Get /forum/akk.asp d = ls.asp & path = / lan & oldpath = & attrib = 200
Enter the LAN folder
Get /forum/akk.asp d = E.ASP & path = / lan / index.html & attrib = 200
Use the editorial command to modify the home file in the LAN folder
Get /forum/akk.asp d = ls.asp 200
Get /forum/akk.asp d = ls.asp & path = / forum & lypath = & attrib = 200
Enter the BBS folder (this is really entered the BBS directory)
Post /forum/akk.asp d = UP.ASP 200
Get /forum/akk.asp d = ls.asp & path = / forum & lypath = & attrib = 200
Get /forum/myth.txt - 200
Upload myth.txt file in the FORUM folder
Get /forum/akk.asp d = ls.asp & path = / forum & lypath = & attrib = 200
Get /forum/akk.asp d = e.asp & pat = / forum / myth.txt & op = DEL & Attrib = 200
Post /forum/akk.asp d = UP.ASP 200
Get /forum/myth.txt - 200
Use the back door to modify the myth.txt file in the FORUM folder directory. After that, use the WebShell of the next website for Ubb.asp, using the backdent of Akk.asp to modify the home page, and back up the home page. Dizzy, I don't understand how the invader is going, and I will replace WebShell for use. I really feel unable to touch.
Analysis log summary:
Intruders use tools to step on, first determine the vulnerability pages that BBS may exist. After testing findings cannot be invaded, then turn to the server's invasion, use the dedicated program or a specific program for website invading, get the first WebShell After the access to the folder, I invaded my BBS system to modify the home page, because it is based on my space IIS log, so I don't know which website is using which page is invaded! However, the data has been completed, and it is determined that the intruder IP address of the invasive BBS and the use of Troju (written by xiaolu), and left a large number of intrusion records. The entire log tracking process is complete, from here we know if the invasion, don't pay attention to the records caused by the invasion, it is easy to discover our invading techniques and processes, so that we have added it for us. A dangerous. I would like to pay you, don't want to be invaded by the police uncle, I want to invade and I don't want to be arrested by the police uncle, remember how to wipe your invasion mark. This article is not high, just want to know that the invasion and invading of the small black and network management can be found.
