Cutting the wing to track the hacker according to the record of the web server
Author: Unknown
Abstract: This article mainly tells how to analyze the web server record, find a hacker attacking a clue, and give specific examples for today's popular two-type web server.
Keywords: web server, IIS, Apache, logging record
Today's network, safety is increasingly attached to everyone, in the construction of a network security environment, gradually strengthening in technical means, management systems, etc., setting firewalls, install intrusion detection systems, etc. But cybersecurity is a full-scale issue, and Ignore which point will cause a wooden barrel effect, so that the entire security system is done. This article finds a vulnerability and prevents attacks from the Logging record of the Web server to enhance the security of the web server.
Web services are the most, most abundant services in the Internet, and all web servers are naturally attacked. We have adopted a lot of measures to prevent attack and intrusion, where to check the record of the web server is the most direct, most common, and A more effective way, but logging record is very large, seeing Logging records is a cumbersome thing, if you can't catch your focus, the attack clue is easily ignored. Below the most popular two-catered Web server: Apache and IIS to attack the experiment, then take appropriate measures to strengthen prevention in many recorded spider silk horses.
1. Default web record
For IIS, its default record is stored in C: // WinNT // System32 // logfiles // w3svc1, the file name is the date of the day, the record format is the standard W3C extended record format, which can be parsed by various record analysis tools, default. The format includes time, visitor IP address, access method (GET or POST ...), requested resources, HTTP status (represented by numbers), etc. For the HTTP status, we know that 200-299 indicates that the access is successful; 300-399 indicates that the client needs to meet the request; 400-499 and 500-599 indicate the client and server error; where the 404 is used, the resource is not found. 403 indicates that the access is disabled.
Apache's default record is stored in / usr / local / apache / logs, where the most useful record file is Access_Log, which includes client IP, personal name (generally empty), username (if requested), access method ( Get or post ...), HTTP state, transmission of bytes, etc.
2. Collect information
We simulate the usual mode of hacker attack servers, first collect information, then implement invasion by step by remote command. The tool we use is Netcat1.1 for Windows, the web server IP is 10.22.1.100, and the client IP is: 10.22.1.80.
C:> NC-N 10.22.1.100 80
HEAD / HTTP / 1.0
HTTP / 1.1 200 ok
Server: Microsoft-IIS / 4.0
Date: sun, 08 oct 2002 14:31:00 GMT
Content-Type: Text / HTML
Set-cookie: aspsessionidgqqqqqpa = hojagjdecollgibnkmceeed; Path = /
Cache-Control: Private
The LOG in IIS and Apache is shown below:
IIS: 15:08:44 10.22.1.80 HEAD /DEFAULT.ASP 200
Linux: 10.22.1.80- [08 / OCT / 2002: 15: 56: 39 -0700] / "HEAD / HTTP / 1.0 /" 200 0 The above activities seem to be normal, nor will they have any impact on the server. But this is usually the prelude of the attack.
3. Web site mirror
Hackers often mirrored a site to help attack the server, often use the mirrored tools with the Wget of Teleport Pro and UNIX under WINDOWS.
Let's take a look at the information in the server record after using these two tools:
16:28:52 10.22.1.80 Get /Default.asp 200
16:28:52 10.22.1.80 get / ROBOTS.TXT 404
16:28:52 10.22.1.80 get /header_protecting_your_privacy.gif 200
16:28:52 10.22.1.80 get /header_fec_reqs.gif 200
16:28:55 10.22.1.80 get /photo_contribs_sidebar.jpg 200
16:28:55 10.22.1.80 get /g2klogo_white_bgd.gif 200
16:28:55 10.22.1.80 get /header_contribute_on_line.gif 200
16:49:01 10.22.1.81 Get /Default.asp 200
16:49:01 10.22.1.81 Get / Robots.txt 404
16:49:01 10.22.1.81 get /header_contribute_on_line.gif 200
16:49:01 10.22.1.81 GET /G2KLOGO_WHITE_BGD.GIF 200
16:49:01 10.22.1.81 Get /photo_contribx_sidebar.jpg 200
16:49:01 10.22.1.81 Get / HEADER_FEC_REQS.GIF 200
16:49:01 10.22.1.81 Get / HEADER_PROTECTING_YOUR_PRIVACY.GIF 200
10.22.1.80 is a UNIX client using Wget, 10.22.1.81 is a Windows client using Teleport Pro requests Robots.txt file, and robots.txt is to be used when the request is not mirrored. So see a request for the Robots.txt file, indicating an attempt to mirror. Of course, in the WGET and Teleport Pro client, access to the Robots.txt file can be manually prohibited. At this time, the discrimination method can see if there is a repetitive resource request from the same IP address.
4. Vulnerability scan
With the development of attacks, we can use some web vulnerabilities to check software, such as WHISKER, which checks a wide variety of vulnerabilities, such as security hazards caused by CGI procedures. Below is a record of IIS and Apache running WHINKER 1.4:
IIS
12:07:56 10.22.1.81 Get /siteServer/publishing/viewcode.asp 404
12:07:56 10.22.1.81 get /msadc/samples/adctest.asp 200
12:07:56 10.22.1.81 Get /advworks/equipment/catalog_type.asp 404
12:07:56 10.22.1.81 Get /iisadmpwd/aexp4b.htr 200
12:07:56 10.22.1.81 Head /scripts/samples/details.idc 200
12:07:56 10.22.1.81 Get /scripts/samples/details.idc 20012: 07: 56 10.22.1.81 Head /scripts/samples/ctguestb.idc 200
12:07:56 10.22.1.81 Get /scripts/samples/ctguestb.idc 200
12:07:56 10.22.1.81 Head /scripts/tools/newdsn.exe 404
12:07:56 10.22.1.81 HEAD /MSADC /MSADCS.DLL 200
12:07:56 10.22.1.81 get /scripts/iisadmin/bdir.htr 200
12:07:56 10.22.1.81 HEAD / CARBO.DLL 404
12:07:56 10.22.1.81 HEAD / SCRIPTS / PROXY / 403
12:07:56 10.22.1.81 Head /scripts/proxy/w3proxy.dll 500
12:07:56 10.22.1.81 Get /scripts/proxy/w3proxy.dll 500
Apache
10.22.1.80- [08 / OCT / 2002: 12: 57: 28 -0700] / "Get /cfcache.map http / 1.0 /" 404 266
10.22.1.80- [08 / OCT / 2002: 12: 57: 28 -0700] / "Get /cfide/administrator/startstop.html http / 1.0 /" 404 289
10.22.1.80- [08 / OCT / 2002: 12: 57: 28 -0700] / "Get /cfappman/index.cfm http / 1.0 /" 404 273
10.22.1.80- [08 / OCT / 2002: 12: 57: 28 -0700] / "GET / CGI-BIN / HTTP / 1.0 /" 403 267
10.22.1.80- [08 / OCT / 2002: 12: 57: 29 -0700] / "Get /cgi-bin/dbmlparser.exe http / 1.0 /" 404 277
10.22.1.80- [08 / OCT / 2002: 12: 57: 29 -0700] / "HEAD /_VTI_INF.HTML HTTP / 1.0 /" 404 0
10.22.1.80- [08 / OCT / 2002: 12: 57: 29 -0700] / "HEAD / _VTI_PVT / HTTP / 1.0 /" 404 0
10.22.1.80- [08 / OCT / 2002: 12: 57: 29 -0700] / "HEAD /CGI-BIN/webdist.cgi http / 1.0 /" 404 0
10.22.1.80- [08 / OCT / 2002: 12: 57: 29 -0700] / "HEAD / CGI-BIN / HANDLER HTTP / 1.0 /" 404 0
10.22.1.80- [08 / OCT / 2002: 12: 57: 29 -0700] / "HEAD / CGI-BIN / WRAP HTTP / 1.0 /" 404 0
10.22.1.80- [08 / OCT / 2002: 12: 57: 29 -0700] / "HEAD /CGI-BIN/PFDisplay.cgi http / 1.0 /" 404
The key to checking this attack is to see the same IP address to request multiple 404 states for the CGI directory (IIS is Scripts, Apache is the CGI-BIN) file request. At this time, check the program security in the corresponding CGI directory.
5. Remote attack
Below we use the MDAC attacks for IIS as an example to learn about the records of remote attacks in the log. The MDAC vulnerability allows an attacker to execute any commands on the web server.
17:48:49 10.22.1.80 Get /msadc/msadcs.dll 20017: 48: 51 10.22.1.80 Post / msadc/msadcs.dll 200
When the attack occurs, the log of the MSADCS.DLL request is left behind.
Another famous attack is a vulnerability of the ASP source leak. When this attack occurs, the log file has the following records:
17:50:13 10.22.1.81 get /default.asp .htr 200
Apache log displays: Apache log displays:
[08 / OCT / 2002: 18: 58: 29 -0700] / "GET / private / http / 1.0 /" 401 462
6. Summary
Managing a security site requires system management personnel's common sense and vigilance, understanding security knowledge from different channels not only deal with the occurrence of attacks, but also to prevent the attacks that will have better prevention. It is important to prevent attacks by log files, but often is often easy to ignore.
IDS (Intrusion Detection System) can help you, but you can't fully replace safety management. Carefully check the things missing Log, IDS, may find it here.
