Attack Log analysis Chapter of the IIS&Apache-vulnerability warning-the black bar safety net

2005-11-27T00:00:00
ID MYHACK58:6220054887
Type myhack58
Reporter 佚名
Modified 2005-11-27T00:00:00

Description

Source: thehackingthe defense of

Each network of the most dark time isServiceis after the attack of the helpless, in fact, serviceis suffered after the attack, theserviceis the recording file detail record. hackactivity of the clues. Here, I introduce two kinds of common web pageserviceis the most important log file, the analysis of theserviceis an attack, hackersin the log file will leave what record. Currently the most common web pagesservice, there are two: Apache and Microsoft Internet Information Server, or IIS, these twoserviceall have the General version and SSL certification version. This article will use and realityhackattacks a similar attack method to the testservicecontroller and analysis of relevant documents, the conditional friends can be on their own machine to the test. IIS the preset recording file address in the C:\winnt\system32\logfiles\w3svc1 directory, the file name is the day of the date as yymmdd. log, the system will daily generate a new recording file. The default format is the W3C extended recording File format, W3C Extended Log File Format, and many associated software can analyze the format of the file. Record file in the preset condition will record the time, Client IP address, Method(GET, POST, etc., the URI stem that requires the resource and the HTTP status of the digital State Code. These fields most of all to understand at a glance, just HTTP state need to have probably of understanding.

Small knowledge: in General, if the code is in 2 0 0 to 2 9 9 represents success. Common 2 0 0 State Code representative meets the client's requirements; 3 0 0 to 3 9 9 representatives must be made by the client to take action in order to meet the proposed requirements; 4 0 0 to 4 9 9 and 5 0 0 to 5 9 9 on behalf of the client andservicehas a problem. The most common status codes there are two, one is 4 0 4, on behalf of the client requires the resource is not in theservice, 4 0 3 represents the resources required to refuseservice.

Apache log file the default storage location in/usr/local/apache/logs, the most valuable log file is Access_log, but SSL_request_log and SSL_engine_log can also provide useful information. Access_log log file has seven fields, including the Client IP address, a special character identifier, user name, date, Method Resource Protocol(GET, POST, etc.; what the requirements of the resources; the Protocol version, HTTP status, as well as the transmission of bytes.

Conventional detection methods of recording and analyzing Pageserviceversion is very important information, hackersis generally the first to a Webservicerequest, letserviceis sent back to itself version info: just put"HEAD / HTTP/1.0"this is a string with a common Netcat utility(related information on the web: http://www.l0pht.com/~weld/netcat/ and the OpenSSL binary, (related information on the web: http://www.openssl.org/ is sent to the openserviceController communications port has become. Pay attention to the following demonstration:

C:>nc-n 10.0.2.55 8 0 HEAD / HTTP/1.0 HTTP/1.1 2 0 0 OK Server: Microsoft-IIS/4.0 Date: Sun, 0 8 Mar 2 0 0 4 1 4:3 1:0 0 GMT Content-Type: text/html Set-Cookie: ASPSESSIONIDGQQQQQPA=IHOJAGJDECOLLGIBNKMCEEED; path=/ Cache-control: private

This form of request in IIS and Apache log file generates the following records:

IIS: 1 5:0 8:4 4 11.1.2.80 HEAD /Default. asp 2 0 0 Linux: 11.1.2.80 - - [0 8/Mar/2 0 0 4:1 5:5 6:3 9 -0700] "HEAD / HTTP/1.0" 2 0 0 0

Although such requests are legitimate, seemingly very common, but often isnetworkto attack the prelude of. Access_log and the IIS log files did not indicate that this requirement is connected to the SSLserviceor the General Webservice, but the Apache SSL_request_log and SSL_engine_log in/usr/local/apache/logs directory to record files will record whether there is a connection to the SSLservice. Please see the following SSL_request_log records file:

[0 to 7/Mar/2 0 0 4:1 5:3 2:5 2 -0700] 11.1.1.50 SSLv3 EDH-RSA-DES-CBC3-SHA "HEAD / HTTP/1.0" 0

Third and fourth field indicates the client is using which encryption mode, the following SSL_request_log were recorded from OpenSSL, Internet Explorer and Netscape, the client program sends the request: [0 to 7/Mar/2 0 0 4:1 5:4 8:2 6 -0700] 11.1.1.50 SSLv3 EDH-RSA-DES-CBC3-SHA "GET / HTTP/1.0" 2 6 9 2 [0 to 7/Mar/2 0 0 4:1 5:5 2:5 1 -0700] 10.0.2.55 TLSv1 RC4-MD5 "GET / HTTP/1.1" 2 6 9 2 [0 to 7/Mar/2 0 0 4:1 5:5 4:4 6 -0700] 11.1.1.50 SSLv3 EXP-RC4-MD5 "GET / HTTP/1.0" 2 6 9 2 [0 to 7/Mar/2 0 0 4:1 5:5 5:3 4 -0700] 11.1.2.80 SSLv3 RC4-MD5 “GET / HTTP/1.0” 2 6 9 2 In additionhackwill usually replicate to the target site, i.e. the so-called mirror site, use it to get the attack required information. The page source code in the comments field of the very directory, file name and even the password of the useful information. Copy web site commonly used tools include a window system of Teleport Pro URL: http://www.tenmax.com/teleport/pro/home.htm, and Unix systems. Wget(URL: http://www.gnu.org/manual/wget/ to it. Here I present to you the analysis of Wget and TeleportPro these two software attack web pagesserviceis recorded in the file content: this two software can comprehensive quickly search the entire website, to All public Web requests. As long as the check log file know to know which is the mirror this action is a very simple matter. The following is the IIS log file is:

1 6:2 8:5 2 11.1.2.80 GET /Default. asp 2 0 0 1 6:2 8:5 2 11.1.2.80 GET /robots.txt 4 0 4 1 6:2 8:5 2 11.1.2.80 GET /header_protecting_your_privacy.gif 2 0 0 1 6:2 8:5 2 11.1.2.80 GET /header_fec_reqs.gif 2 0 0 1 6:2 8:5 5 11.1.2.80 GET /photo_contribs_sidebar.jpg 2 0 0 1 6:2 8:5 5 11.1.2.80 GET /g2klogo_white_bgd.gif 2 0 0 1 6:2 8:5 5 11.1.2.80 GET /header_contribute_on_line.gif 2 0 0

Here 1 1. 1. 2. 8 0 This host is a Unix system of the client, is to use the Wget software request. 1 6:4 9:0 1 11.1.1.50 GET /Default. asp 2 0 0 1 6:4 9:0 1 11.1.1.50 GET /robots.txt 4 0 4 1 6:4 9:0 1 11.1.1.50 GET /header_contribute_on_line.gif 2 0 0 1 6:4 9:0 1 11.1.1.50 GET /g2klogo_white_bgd.gif 2 0 0 1 6:4 9:0 1 11.1.1.50 GET /photo_contribs_sidebar.jpg 2 0 01 6:4 9:0 1 11.1.1.50 GET /header_fec_reqs.gif 2 0 0 1 6:4 9:0 1 11.1.1.50 GET /header_protecting_your_privacy.gif 2 0 0 Here 1 1. 1. 1. 5 0 the system is a window environment of the client, using TeleportPro issued the request.

Tip: more than two hosts are required Robots. txt this document, in fact, this archive is a Web Administrator tool, role is to prevent Wget and TeleportPro suchautomaticto catch file software to some web pages engaged in fetch or search operation. If someone made Robots. txt file requirements, often the representative is to mirror the entire site. But TeleportPro and Wget these two software can the requirements of the Robots. txt this file the function is canceled.

Hackcan also use the pagevulnerabilityto audit the software Whisker(URL: http://www.wiretrip.net/ to the investigation of Webservicehas no security backdoors. The following is the IIS and Apache webservicein the implementation of the Whisker produced after the portion of the recording file:

IIS: 1 3:1 7:5 6 11.1.1.50 GET /SiteServer/Publishing/viewcode. asp 4 0 4 1 3:1 7:5 6 11.1.1.50 GET /msadc/samples/adctest. asp 2 0 0 1 3:1 7:5 6 11.1.1.50 GET /advworks/equipment/catalog_type. asp 4 0 4 1 3:1 7:5 6 11.1.1.50 GET /iisadmpwd/aexp4b. htr 2 0 0 1 3:1 7:5 6 11.1.1.50 HEAD /scripts/samples/details. idc 2 0 0 1 3:1 7:5 6 11.1.1.50 GET /scripts/samples/details. idc 2 0 0 1 3:1 7:5 6 11.1.1.50 HEAD /scripts/samples/ctguestb. idc 2 0 0 1 3:1 7:5 6 11.1.1.50 GET /scripts/samples/ctguestb. idc 2 0 0 1 3:1 7:5 6 11.1.1.50 HEAD /scripts/tools/newdsn.exe 4 0 4 1 3:1 7:5 6 11.1.1.50 HEAD /msadc/msadcs.dll 2 0 0 1 3:1 7:5 6 11.1.1.50 GET /scripts/iisadmin/bdir. htr 2 0 0 1 3:1 7:5 6 11.1.1.50 HEAD /carbo.dll 4 0 4 1 3:1 7:5 6 11.1.1.50 HEAD /scripts/proxy/ 4 0 3 1 3:1 7:5 6 11.1.1.50 HEAD /scripts/proxy/w3proxy.dll 5 0 0 1 3:1 7:5 6 11.1.1.50 GET /scripts/proxy/w3proxy.dll 5 0 0

Apache: the 11.1.1.50 - - [0 8/Mar/2 0 0 4:1 2:5 7:2 8 -0700] "GET /cfcache. map HTTP/1.0" 4 0 4 2 6 6 11.1.1.50 - - [0 8/Mar/2 0 0 4:1 2:5 7:2 8 -0700] "GET /cfide/Administrator/startstop.html HTTP/1.0" 4 0 4 2 8 9 11.1.1.50 - - [0 8/Mar/2 0 0 4:1 2:5 7:2 8 -0700] "GET /cfappman/index. cfm HTTP/1.0" 4 0 4 2 7 3 11.1.1.50 - - [0 8/Mar/2 0 0 4:1 2:5 7:2 8 -0700] "GET /cgi-bin/ HTTP/1.0" 4 0 3 2 6 7 11.1.1.50 - - [0 8/Mar/2 0 0 4:1 2:5 7:2 9 -0700] "GET /cgi-bin/dbmlparser.exe HTTP/1.0" 4 0 4 2 7 7 11.1.1.50 - - [0 8/Mar/2 0 0 4:1 2:5 7:2 9 -0700] "HEAD /_vti_inf.html HTTP/1.0" 4 0 4 0 11.1.1.50 - - [0 8/Mar/2 0 0 4:1 2:5 7:2 9 -0700] "HEAD /_vti_pvt/ HTTP/1.0" 4 0 4 0 11.1.1.50 - - [0 8/Mar/2 0 0 4:1 2:5 7:2 9 -0700] "HEAD /cgi-bin/webdist. cgi HTTP/1.0" 4 0 4 0 11.1.1.50 - - [0 8/Mar/2 0 0 4:1 2:5 7:2 9 -0700] "HEAD /cgi-bin/handler HTTP/1.0" 4 0 4 0 11.1.1.50 - - [0 8/Mar/2 0 0 4:1 2:5 7:2 9 -0700] "HEAD /cgi-bin/wrap HTTP/1.0" 4 0 4 0 11.1.1.50 - - [0 8/Mar/2 0 0 4:1 2:5 7:2 9 -0700] "HEAD /cgi-bin/pfdisplay. cgi HTTP/1.0" 4 0 4 0

We want to detect this type of attack the key is that from a single IP address issued a large number of 4 0 4 the HTTP status code. Just pay attention to this information, you can analyze the other requirements of the resources, so they will be desperately required to provide the Cgi-bin scripts(Apacheserviceto the cgi-bin directory; IISserviceto the Scripts directory.

Page if somebody visits, the total will be in the log file leave what clues. If the web administrator alertness is high enough, should take analysis of the log file as a trace, a clue, and after checking found the site really havevulnerability, we can predict there will be ahackto attack the site.

Directly attack and record analysis Next I want to model two common types of web pagesserviceattacks, analysis of theserviceafter being attackedhackin the log file traces.

1. The MDAC attack

The MDAC attack method allows the Web client in IIS Web pagesserviceon the controller command is executed. If someone starts to attack IISservice, the log file will write down the client once the call failure has. dll document:

1 7:4 8:4 9 12.1.2.8 GET /msadc/msadcs.dll 2 0 0 1 7:4 8:5 1 12.1.2.8 POST /msadc/msadcs.dll 2 0 0

2. Using the original codevulnerability

The second kind of attack is also very common, is the affect the ASP and Java Web the exposed of the original codevulnerability. The old securityvulnerabilityis a+. htr bug, this BUG will display the ASP of the original code. If someone make use of thisvulnerabilityattack in IIS log files inside leaving these clues:

1 7:5 0:1 3 11.1.2.80 GET /default. asp+. htr 2 0 0

3. Permissions problem Web pages will often only allow the authorized user to enter, then we have to let you see the Apache Access_log log file will log in fails to leave what clues:

12.1.2.8 - user [0 8/Mar/2 0 0 4:1 8:5 8:2 9 -0700] "GET /private/ HTTP/1.0" 4 0 1 4 6 2

The third column inside of the user name is"user". Also to be noted that HTTP status code is 4 0 1, on behalf of the illegal access.

Apache and IIS analogy and related attacks with the record analysis to here, here just reference a few of the more common, and can reflect both the differences and commonalities of the example, we completely can according to their own favorite way to testservice, such as the now popularSQL injectionand upload itvulnerability, etc., I believe that this can really do the offensive and defensive confrontation!