After the invasion in the UNIX system to determine the loss and the intruder attacks the source address is very important. Although most of the intruders have compromised computers know how to use as a springboard to attack your server, but they did launch an official before the attacks target information collection (exploratory scan) often start from their work computers, the following describes how the system from the intrusion of the intruder logs in the IP and to be determined.
1. Messages
/ Var / adm is the log directory UNIX (Linux is under / var / log). ASCII format, in which there are many log files, of course, let us focus first of all concentrated in the messages files, this is generally concerned about intruders file, it records the information from the system level. The following information is to show the records of the copyright or hardware information:
Apr 29 19:06:47 www login [28845]: FAILED LOGIN 1 FROM xxx.xxx.xxx.xxx, User not known to the underlying authentication module
This is a login failure record information: Apr 29 22:05:45 game PAM_pwdb [29509]: (login) session opened for user ncx by (uid = 0).
The first step should be to Kill-HUP cat `/ var / run / syslogd.pid`, of course, there may be intruders had already been done.
2. Wtmp, utmp logs, FTP log
You can / var / adm, / var / log, / etc directory to find named wtmp, utmp file, these files when the user is recorded, and where remote login to the host, the hacker software, there is a the oldest and most popular zap2 (compiled file name normally called z2, or called wipe), is used to "wipe" out in these two files the user login information, but because the network speed is too lazy or slow, Many intruders do not upload or compile this file. Administrators can use the lastlog command to get the intruder to connect to the source address of the last (of course, this address may be one of their springboard). FTP log is usually / var / log / xferlog, a detailed record of the file mode to upload files to FTP the time, the source file name, etc., but because the log is too obvious, so a little more sophisticated intruders rarely use FTP to transfer files, they generally use the RCP.
3. Sh_history
Obtain root privileges, the intruder can build their own invasion of account is for more advanced skills like uucp, lp, etc. do not use the system user name plus password. After the invasion, even if an intruder removed. Sh_history or. Bash_hi-story this document, the implementation of kill-HUP `cat / var / run / inetd.conf` can be retained in the memory page in the bash command to re-write records back to disk, then the executable find /-name.sh_historyprint, carefully view each suspicious shell command log. You can / usr / spool / lp (lp home dir), / usr / lib / uucp / other directory to find. Sh_history file, there may be found in which similar FTP xxx.xxx.xxx.xxx or rcpnobody @ xxx. xxx.xxx.xxx: / tmp / backdoor / tmp / backdoor way to show the intruder IP or domain name orders.
4. HTTP server logs
This is to determine the real intruder attack originating address of the most effective methods. The most popular Apache server as an example, in the $ (prefix) / logs / access.log directory you can find this file, which records the visitor's IP, access time and requesting access to the content. After the invasion, we should be able to find similar documents in the following information: record: xxx.xxx.xxx.xxx [28/Apr/2000: 00:29:05 -0800] "GET / cgi-bin / rguest.exe "404-xxx.xxx.xxx.xxx [28/Apr/2000: 00:28:57 -0800]" GET / msads / Samples / SELECTOR / showcode.asp "404
This indicates that the IP is xxx.xxx.xxx.xxx from intruders in the April 28, 2000 to 0:28 trying to access / msads / Samples / SELECTOR / showcode.asp file, which is scanned using the web cgi device in the aftermath of the log. Most intruders often choose web scanner nearest server. Combination of attack time and IP, we can know a lot of information invaders.
5. Core dump
A secure and stable in the normal operation of daemons, when not "dump" out the core of the system, when the invaders attack using a remote vulnerability, many services are running one of the socket getpeername function call, so the intruder's IP is also saved in memory.
6. Proxy server log
Proxy server is the network of large and medium enterprises often use a method of information exchange within and outside an interface, it is a faithful record of each user access
Content, including of course the intruder access information. The most common squid proxy example, usually you can / usr / local / squid / logs / access.log found under this huge log files. You can get squid at the following address log analysis script: http://www.squid-cache.org/Doc/Users-Guide/added/st. Html file access log through the sensitive analysis of how people can know when visited the confidentiality of the contents of these.
7. Routers log
Default under the router will not record any scan and log, so the intruder used a springboard for its attacks. If your enterprise network is divided into military zones and demilitarized zone, then add the router's log records would help in the future to track the intruder. More importantly, the administrator
For such a set can identify the attacker in the end is within or outside the Pirates of the thief. Of course, you need additional router.log a server to place files.
Attention!
For the intruder, in the whole process of attack and target machine does not attempt to establish TCP connection is unlikely, there are many subjective and objective reasons for the invaders, and attacks in the implementation of the log is not very difficult to leave .
If we spend enough time and energy, it can log in from a large number of the intruder's information. In terms of the psychological behavior of the intruder, who achieved the target machine the greater authority, they tend to use more conservative way to build connections with the target. Careful analysis of the early log, especially the part that contains a scan, we can have a greater harvest.
Log audit only as a passive means of defense after the invasion, the initiative is to enhance their own learning, time to upgrade or update the system, prepared and most effective way to prevent the invasion.