Find clues about hackers in web servers

Now things like servers are very afraid of viruses or hackers. Once they are attacked, they have a lot of damage. So, if you want to see if your server is hacked, you can track the clues of hackers. How to track them? Here, I will tell you below.

Today's network, security is getting more and more attention from everyone. When building a network security environment, it is gradually strengthened in terms of technical means and management systems, setting up firewalls, installing intrusion detection systems, and so on. However, network security is a comprehensive problem. Ignoring which point will cause the barrel effect, making the entire security system useless. This article analyzes the logging records of the Web server to identify vulnerabilities and prevent attacks, thus enhancing the security of the Web server.

Web services are the most abundant and richest services provided by the Internet. Various web servers are naturally the most attacked. We have adopted many measures to prevent attacks and intrusions. The records of viewing web servers are the most. Direct, most commonly used, and more effective one method, but the logging record is very large. It is very cumbersome to view the logging record. If you can't grasp the key points, the attack clues are easy to be ignored. Let's take an attack on the two most popular types of Web servers: Apache and IIS, and then find the clues of the attacks in numerous records, so take appropriate measures to strengthen prevention.

1, the default web record

For IIS, the default record is stored in c:\\winnt\\system32\\logfiles\\w3svc1, the file name is the date of the day, and the record format is standard W3C. The extended record format can be parsed by various record analysis tools. The default format includes time, visitor IP address, access method (GETorPOST…), requested resource, HTTP status (represented by number), and so on. For the HTTP status, we know that 200-299 indicates successful access; 300-399 indicates that client response is required to satisfy the request; 400-499 and 500-599 indicate client and server errors; commonly used such as 404 indicates that the resource was not found. , 403 indicates that access is prohibited.

Apache's default record is stored in /usr/local/apache/logs. The most useful log file is access_log, which includes client IP, personal identifier (usually empty), username (if needed) Authentication), access method (GETorPOST…), HTTP status, number of bytes transferred, etc.

2, Collecting Information

We simulate the usual mode of hacking a server, first collecting information and then implementing the intrusion step by step through remote commands. The tool we use is netcat1.1forwindows, the web server ip is 10.22.1.100, and the client IP is 10.22.1.80.

C:>nc-n10.22.1.10080

HEAD/HTTP/1.0

HTTP/1.1200OK

Server: Microsoft-IIS/4.0

Date:Sun,08Oct200214:31:00GMT

Content-Type:text/html

Set-Cookie:ASPSESSIONIDGQQQQQPA=IHOJAGJDECOLLGIBNKMCEEED;path=/