(http://www.cnhacker.cn/asp/list.asp?id=1417)
Abstract: This article mainly tells how to analyze the web server record, find a hacker attacking a clue, and give specific examples for today's popular two-type web server. Keywords: web server, IIS, apache, logging records today's network, security is more and more attention, when building network security environments, gradually strengthening technology, management systems, etc., setting firewalls, install intrusion detection System, etc. But cybersecurity is a full-scale issue, and Ignore which point will cause a wooden barrel effect, so that the entire security system is done. This article finds a vulnerability and prevents attacks from the Logging record of the Web server to enhance the security of the web server. Web services are the most, most abundant services in the Internet, and all web servers are naturally attacked. We have adopted a lot of measures to prevent attack and intrusion, where to check the record of the web server is the most direct, most common, and A more effective way, but logging record is very large, seeing Logging records is a cumbersome thing, if you can't catch your focus, the attack clue is easily ignored. Below the most popular two-catered Web server: Apache and IIS to attack the experiment, then take appropriate measures to strengthen prevention in many recorded spider silk horses. 1. Default web records For IIS, the default record is stored in C: / Winnt / System32 / Logfiles / W3SVC1, the file name is the date of the day, the record format is the standard W3C extended record format, which can be parsed by various record analysis tools. The default format includes time, visitor IP address, access method (GET or POST ...), requested resources, HTTP status (represented by numbers), etc. For the HTTP status, we know that 200-299 indicates that the access is successful; 300-399 indicates that the client needs to meet the request; 400-499 and 500-599 indicate the client and server error; where the 404 is used, the resource is not found. 403 indicates that the access is disabled. Apache's default record is stored in / usr / local / apache / logs, where the most useful record file is Access_Log, which includes client IP, personal name (generally empty), username (if requested), access method ( Get or post ...), HTTP state, transmission of bytes, etc. 2. Collect information We simulate the usual mode of hacker attack servers, first collect information, and then implement invasion by step by remote command. The tool we use is Netcat1.1 for Windows, the web server IP is 10.22.1.100, and the client IP is: 10.22.1.80.
C:> NC-N 10.22.1.100 80 Head / HTTP / 1.0 HTTP / 1.1 200 OK Server: Microsoft-IIS / 4.0 Date: Sun, 08 Oct 2002 14:31:00 GMT Content-Type: Text / HTML SET-COOKIE : Aspsessionidgqqqqqqpa = hojagjdecollgibnkmceeed; Path = / cache-control: Private is shown in IIS and Apache's logs as follows: IIS: 15:08:44 10.22.1.80 HEAD /DEFAULT.ASP 200 Linux: 10.22.1.80- [08 / OCT / 2002: 15: 56: 39 -0700] "HEAD / HTTP / 1.0" 200 0 or more activities seem to be normal, nor will they have any impact on the server, but this is the prelude to attack. 3. Web site mirror hackers often mirrored a site to help attack the server, often used to mirrored tools with the Teleport Pro under Windows. Below we look at the information after using these two tools: 16:28:52 10.22.1.80 Get /default.asp 200 16:28:52 10.22.1.80 Get / Robots.txt 404 16:28:52 10.22 .1.80 GET /header_protecting_your_privacy.gif 200 16:28:52 10.22.1.80 GET /header_fec_reqs.gif 200 16:28:55 10.22.1.80 GET /photo_contribs_sidebar.jpg 200 16:28:55 10.22.1.80 GET /g2klogo_white_bgd.gif 200 16:28:55 10.22.1.80 Get / HEADER_CONTRIBUTE_ON_LINE.GIF 200 16:49:01 10.22.1.81 Get /Default.asp 200 16:49:01 10.22.1.81 Get / Robots.txt 404 16:49:01 10.22.1.81 GET /header_contribute_on_line.gif 200 16:49:01 10.22.1.81 GET /g2klogo_white_bgd.gif 200 16:49:01 10.22.1.81 GET /photo_contribs_sidebar.jpg 200 16:49:01 10.22.1.81 GET /header_fec_reqs.gif 200 16: 49:01 10.22.1.81 Get /Header_Protecting_Your_Privacy.gif 200 10.22.1.80 is a Wget of UNIX client, 10.22.1.81 is a Windows client using Teleport Pro request robots.txt file, robots.txt is the request is not mirror The file is used. So see a request for the Robots.txt file, indicating an attempt to mirror. Of course, in the WGET and Teleport Pro client, access to the Robots.txt file can be manually prohibited. At this time, the discrimination method can see if there is a repetitive resource request from the same IP address. 4. Vulnerability Scan With the development of attacks, we can use some web vulnerabilities inspected software, such as WHisker, which checks a wide variety of vulnerabilities, such as security hazards caused by CGI programs.
Below is a record of IIS and Apache running WHINKER 1.4: IIS 12:07:56 10.22.1.81 get /siteserver/publishing/viewcode.asp 404 12:07:56 10.22.1.81 get /msadc/samples/adctest.asp 200 12:22.1.81 get /advworks/equipment/catalog_type.asp 404 12:07:56 10.22.1.81 get /iisadmpwd/aexp4b.htr 200 12:07:56 10.22.1.81 HEAD / SCRIPTS / SAMPLES / DETAILS Get / Scripts/samples/ctb.idc 200 12:07:56 10.22.1.81 Get / Scripts /samples/ctguestb.idc 200 12:07:56 10.22.1.81 Head /scripts/tools/newdsn.exe 404 12:07:56 10.22.1.81 Head / msadc/msadcs.dll 200 12:07:56 10.22.1.81 Get / Scripts/iisadmin/bdir.htr 200 12:07:56 10.22.1.81 Head / Carbo.dll 404 12:07:56 10.22.1.81 Head / Scripts / Proxy / 403 12:07:56 10.22.1.81 HEAD / SCRIPTS / Proxy / w3proxy.dll 500 12:07:56 10.22.1.81 get /scripts/proxy/w3proxy.dll 500 apache 10.22.1.80- [08 / OCT / 2002: 12: 57: 28 -0700] "Get /cfcache.map HTTP / 1.0 "404 266 10.22.1.80- [08 / OCT / 2002: 12: 57: 28 -0700]" G Et /cfide/administrator/startstop.html http / 1.0 "404 289 10.22.1.80- [08 / OCT / 2002: 12: 57: 28 -0700]" GET / CFAPPMAN/INDEX.CFM HTTP / 1.0 "404 273 10.22. 1.80- [08 / OCT / 2002: 12: 57: 28 -0700] "GET / CGI-BIN / HTTP / 1.0" 403 267 10.22.1.80- [08 / OCT / 2002: 12: 57: 29 -0700] " Get /cgi-bin/dbmlparser.exe http / 1.0 "404 277 10.22.1.80- [08 / OCT / 2002: 12: 57: 29 -0700]" HEAD /_VTI_INF.HTML HTTP / 1.0 "404 0 10.22.1.80- [08 / OCT / 2002: 12: 57: 29 -0700] "HEAD / _VTI_PVT / HTTP / 1.0" 404 0 10.22.1.80- [08 / OCT / 2002: 12: 57: 29 -0700] "HEAD / CGI- Bin / WebDist.cgi http / 1.0 "404 0 10.22.1.80- [08 / OCT / 2002: 12: 57: 29 -0700]" Head / cgi-bin / handler http / 1.0 "404 0 10.22.1.80- [08 / OCT / 2002: 12: 57: 29 -0700] "
