Today's network, security got much attention, in building a network security environment, the technical means and management system and so have gradually strengthened, and set up a firewall, intrusion detection systems, etc. installed. However, comprehensive network security is a problem, ignore what point will cause bucket effect, makes the whole security system dummy. This article analyzes Web server logging records to identify vulnerabilities and prevent attacks, so as to enhance Web server security.
Web services is the Internet that provide the greatest, the most abundant of the service, 各种 Web server is attacked most of the natural, we used kinds of measures to Fangzhi attack and invasion, Qi Zhong view the Web server Ji Lu is the most direct, the most common, but also A more effective approach, but very large logging records, logging records is a very complicated view of things, if the key grip, the attacker would easily be overlooked clues. The following two categories on the most popular Web server: Apache and IIS to do experiments to attack and then attack the many records found clues to take appropriate measures to strengthen prevention.
1. Default web record
For IIS, the default record stored in c: \ winnt \ system32 \ logfiles \ w3svc1, the file name that is today's date, record format is a standard W3C extended log format, can be a variety of log analysis tools to analysis, the default format, including the time , visitor IP address, access method (GET or POST ...), the requested resource, HTTP status (in figures) and so on. For one of the HTTP status, we know that a successful visit 200-299; 300-399 indicate the need for client-side response to meet the request; 400-499 and 500-599 show that the client and server errors; which common resources such as the 404 that did not find , 403 that access is prohibited.
Apache's default record stored in / usr / local / apache / logs, one of the most useful documentation is access_log, its format, including client IP, personal mark (usually empty), username (if necessary authentication), access method ( GET or POST ...), HTTP status, and number of bytes transferred.
2. To gather information
We simulate the usual mode of hacking the server, first gather information, then step by step implementation of the invasion of a remote command. We use the tool is netcat1.1 for windows, Web server ip is 10.22.1.100, client IP is: 10.22.1.80.
C:> nc-n 10.22.1.100 80
HEAD / HTTP/1.0
HTTP/1.1 200 OK
Server: Microsoft-IIS/4.0
Date: Sun, 08 Oct 2002 14:31:00 GMT
Content-Type: text / html
Set-Cookie: ASPSESSIONIDGQQQQQPA = IHOJAGJDECOLLGIBNKMCEEED; path = /
Cache-control: private
IIS and Apache to log in to display the following:
IIS: 15:08:44 10.22.1.80 HEAD / Default.asp 200
Linux: 10.22.1.80-- [08/Oct/2002: 15:56:39 -0700] "HEAD / HTTP/1.0" 200 0
The activities of the above look normal, nor will it have any impact on the server, but it is usually a prelude to attack.
3. Web site mirror
Hackers often mirror a site to help attack the server, the tool used to mirror the Teleport pro Windows, and Unix under Wget.
We next use these two tool records the information in the server:
16:28:52 10.22.1.80 GET / Default.asp 200
16:28:52 10.22.1.80 GET / robots.txt 404
16:28:52 10.22.1.80 GET / header_protecting_your_privacy.gif 200
16:28:52 10.22.1.80 GET / header_fec_reqs.gif 200
16:28:55 10.22.1.80 GET / photo_contribs_sidebar.jpg 200
16:28:55 10.22.1.80 GET / g2klogo_white_bgd.gif 200
16:28:55 10.22.1.80 GET / header_contribute_on_line.gif 200
16:49:01 10.22.1.81 GET / Default.asp 200
16:49:01 10.22.1.81 GET / robots.txt 404
16:49:01 10.22.1.81 GET / header_contribute_on_line.gif 200
16:49:01 10.22.1.81 GET / g2klogo_white_bgd.gif 200
16:49:01 10.22.1.81 GET / photo_contribs_sidebar.jpg 200
16:49:01 10.22.1.81 GET / header_fec_reqs.gif 200
16:49:01 10.22.1.81 GET / header_protecting_your_privacy.gif 200
10.22.1.80 is the use of Wget's Unix client, 10.22.1.81 is to use the Teleport pro's Windows client, all requests for robots.txt file, Robots.txt is requested not to use when the image file to the. So to see on the robots.txt file requests that attempt to have the mirror. Of course, Wget and Teleport pro client, you can manually ban on the robots.txt file access, then, to identify ways to see if there are from the same IP address to the duplication of resource requests.
4. Vulnerability Scanning
With the development of attack, we can use some Web Vulnerability check software, such as Whisker, it can check all kinds of loopholes have been known, such as the cgi program leading to potential safety problems, etc.. Here is the IIS and Apache running Whisker1.4 related records:
IIS
12:07:56 10.22.1.81 GET / SiteServer / Publishing / viewcode.asp 404
12:07:56 10.22.1.81 GET / msadc / samples / adctest.asp 200
12:07:56 10.22.1.81 GET / advworks / equipment / catalog_type.asp 404
12:07:56 10.22.1.81 GET / iisadmpwd/aexp4b.htr 200
12:07:56 10.22.1.81 HEAD / scripts / samples / details.idc 200
12:07:56 10.22.1.81 GET / scripts / samples / details.idc 200
12:07:56 10.22.1.81 HEAD / scripts / samples / ctguestb.idc 200
12:07:56 10.22.1.81 GET / scripts / samples / ctguestb.idc 200
12:07:56 10.22.1.81 HEAD / scripts / tools / newdsn.exe 404
12:07:56 10.22.1.81 HEAD / msadc / msadcs.dll 200
12:07:56 10.22.1.81 GET / scripts / iisadmin / bdir.htr 200
12:07:56 10.22.1.81 HEAD / carbo.dll 404
12:07:56 10.22.1.81 HEAD / scripts / proxy / 403
12:07:56 10.22.1.81 HEAD / scripts/proxy/w3proxy.dll 500
12:07:56 10.22.1.81 GET / scripts/proxy/w3proxy.dll 500
Apache
10.22.1.80-[08/Oct/2002: 12:57:28 -0700] "GET / cfcache.map HTTP/1.0" 404 266
10.22.1.80-[08/Oct/2002: 12:57:28 -0700] "GET / cfide / Administrator / startstop.html HTTP/1.0" 404 289
10.22.1.80-[08/Oct/2002: 12:57:28 -0700] "GET / cfappman / index.cfm HTTP/1.0" 404 273
10.22.1.80-[08/Oct/2002: 12:57:28 -0700] "GET / cgi-bin / HTTP/1.0" 403 267
10.22.1.80-[08/Oct/2002: 12:57:29 -0700] "GET / cgi-bin/dbmlparser.exe HTTP/1.0" 404 277
10.22.1.80-[08/Oct/2002: 12:57:29 -0700] "HEAD / _vti_inf.html HTTP/1.0" 404 0
10.22.1.80-[08/Oct/2002: 12:57:29 -0700] "HEAD / _vti_pvt / HTTP/1.0" 404 0
10.22.1.80-[08/Oct/2002: 12:57:29 -0700] "HEAD / cgi-bin/webdist.cgi HTTP/1.0" 404 0
10.22.1.80-[08/Oct/2002: 12:57:29 -0700] "HEAD / cgi-bin/handler HTTP/1.0" 404 0
10.22.1.80-[08/Oct/2002: 12:57:29 -0700] "HEAD / cgi-bin/wrap HTTP/1.0" 404 0
10.22.1.80-[08/Oct/2002: 12:57:29 -0700] "HEAD / cgi-bin/pfdisplay.cgi HTTP/1.0" 404
Check this attack, the key is to see the same IP address on the cgi directory (IIS is the scripts, Apache is the cgi-bin) file a request state appears more than 404. Then we must check the appropriate procedures cgi directory security.
5. Long-range attack
Here we have the MDAC IIS attack Yi Zhen Dui Wei Li, Yuan Cheng attack to understand the record in the log li case. MDAC vulnerability could allow an attacker to execute any command Web server.
17:48:49 10.22.1.80 GET / msadc / msadcs.dll 200
17:48:51 10.22.1.80 POST / msadc / msadcs.dll 200
When the attack occurred, the log will stay on msadcs.dll requested records.
Another well-known attacks asp source code leak vulnerability, when such attacks occur, log files will have the following records:
17:50:13 10.22.1.81 GET / default.asp +. Htr 200
For the record unauthorized access attacks, Apache log will show:
[08/Oct/2002: 18:58:29 -0700] "GET / private / HTTP/1.0" 401 462
6. Summary
Site requirements for a security system, security managers have the common sense and vigilance, from different sources of knowledge not only about security against attacks that have occurred, but also on the attack will occur to achieve better prevention. Log file through to understand and prevent attacks is very important but often overlooked means easy.
IDS (Intrusion Detection System) can help you a lot, but it can not replace the security management. Double-check Log, IDS is something missing, you may find here.