Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
myhack58佚名MYHACK58:62200611541
HistorySep 07, 2006 - 12:00 a.m.

Hack job: network intrusion detection initial detection method-vulnerability warning-the black bar safety net

2006-09-0700:00:00
佚名
www.myhack58.com
13
JSON

Carefully configure the Win2000 server can Defense 9 0% or more of intrusion and penetration, however, like the previous Chapter, the end of the mentioned:system security is a continuous process, as new vulnerabilities appear and the server application changes, the system of the security situation is constantly changing;at the same time since the offense and Defense is a contradictory unity, road elimination magic long, and the magic message master is also in constant transformation, therefore, again a good system administrator also can not guarantee that a station is providing service of the server for a long time absolutely not to be invaded.

So, the security configuration server is not security work. [/size]end, but is rather long and tedious security work, this article we will initial explore Win2000 Serverintrusion detectionthe initial tips, the hope can help you in the long-term maintenance of security on the server.

Intrusion detection is mainly based on the application, to provide the corresponding service should have the appropriate detection and analysis system to be protected, for the General of the host, the main should note the following several aspects:

1. Based on the 8 0 port intrusion detection

The WWW service is probably the most common one of the services, and because of this service to face the majority of users, the service flow and complexity are very high, so for this services, vulnerabilities and intrusion techniques. For NT, IIS has always been a system administrator to compare the headache part, but fortunately, the IIS comes with a log function to some extent, can become theintrusion detectionright hand helper. IIS comes with a log file by default is stored in the System32/LogFiles directory, generally by a 2 4-hour rolling, in IIS Manager it can be more configuration.

We assume that aWEB server, open the WWW service, you are This server’s system administrator, has been carefully configured IIS, use the W3C extended log format, and at least record the time(time), Client IP(Client IP), method(Method), URI resource(the URI Stem), URI query(URI-Query) Protocol Status(Protocol Status), we used a recent comparison[/size]popular Unicode vulnerability analysis:open the IE window in the address bar, enter:127.0.0.1/scripts/…%c1% 1c…/winnt/system32/cmd. exe?/ c+dir by default you can see the list of directories, let’s look at the IIS logs are recording something, open Ex010318. log(Ex representative of the W3C extended format, the back of a string of numbers representing the log of the record date):0 7:4 2:5 8 127.0.0.1 GET /scripts/…\…/winnt/system32\cmd.exe /c+dir 2 0 0 above this line the log shows the Greenwich Mean Time 0 7:4 2:5 8(that is GMT + 2 3:4 2:5 8), There is a guy(intruder)from 1 2 7. 0. 0. 1 IP on your machine using the Unicode vulnerability(%c1%1c is decoded as“\”, the actual situation will be because the Windows version is different and there is a slight difference)运行 了 cmd.exe, the parameter is/c dir, run the result is successful(HTTP 2 0 0 for correct return).

In most cases, the IIS log will faithfully record it receives any request(there is also a special not to be IIS logging attacks, in this our later discussion). However, the IIS log at every turn tens of MPa, flow great site even tens of G, manual inspection is almost not possible, only option is to use Log analysis software, use any language to write a Log analysis software(which is the text filter)are very simple.

Tell you a simple method, let’s say you want to know that there is no one from 8 0 on the port trying to get in your Global. asa file, you can use the following command:find “Global. asa” ex010318. log /i. This command uses the NT comes with find. exe tool, you can easily from the text found in the file you want to filter the string“Global. asa”is the need of the query string, ex010318. the log is to be filtered text files, the/i stands for ignore case. Because it is not my intention to put this article written in the Microsoft Help document, so on this command’s other parameter as well as its enhanced version of the FindStr. exe usage please go to view the Win2000 help file.

Whether it is based on Log analysis software or the Find command, you can build a responsive list of strings, containing the existing IIS vulnerabilities(such as“+. htr”)as well as the future will be loopholes may call the resource(比如 Global.asa 或者 cmd.exe), through the filter this one constantly updating the string table, some can be as early as possible to understand the invader’s actions.

Need to be reminded that use any Log analysis software will occupy some system resources, therefore, for IIS log analysis such a low-priority task, put in the night idle automatically when the execution would be more appropriate, if and then write a script to put the filter after the suspicious text sent to the system administrator, that is even more perfect. At the same time, if the sensitive string table is large, the filtering policy is complex, I suggest still using C to write a dedicated program would be more cost-effective.

2. Based on the security log detect

Based on the IIS logs of intrusion detection, we can know ahead of time stalking those tracks(if you deal with misconduct, and stalking who at any time will turn the intruder), but the IIS log is not a panacea, it is in some cases not even recorded from the 8 0 port of the invasion, according to my IIS log analysis IIS only when a request is completed before the write log, in other words, if a request is aborted, the log file is not a trace of it(here in the middle of failure does not mean the occurrence of HTTP400 error this situation, but from the TCP layer does not complete the HTTP request, for example, in the POST a large amount of data when the abort), for the intruder to say, it is possible to bypass the log system to complete a lot of activities.

Moreover, for non-8 0 Only the host, the intruder can also be from other services into the server, thus, establishing a complete set of safety monitoring system is very necessary.

Win2000 comes with a pretty powerful security log of the system from user login to a privileged use there are very detailed records, unfortunately, are installed by default security auditing is turned off, so that some of the host is after dark wouldn’t be able to track the intruder. So, we’re going to do is the first step in the Administrative Tools-Local Security Policy-Local Policies-audit policy to open the necessary review, in General, the logon events and Account Management is what we care the most about the event, while open to success and failure auditing is very necessary, the other review also fails to open review, so you can make the invader step by step difficult, one not careful will fail it. Just open the security audit and do not completely solve the problem, if not well configure the security log size and overwrite mode, an experienced intruder will be able to pass a flood of counterfeit intrusion request override his real whereabouts. Usually, the security log size specified for 50MB and only allows the coverage to 7 days before a log can avoid the above situation occurs.

In addition to the security log, system log and Application log also is very good auxiliary monitoring tools, in General, intruders in addition to in the security log in the left traces(if he got the Admin rights, then he must be go to clear traces), in the system and application logs will also leave telltale signs, as a system administrator, to have not spared any unusual attitude, so the intruder would be difficult to hide their whereabouts.

3. File access log and key file protection

In addition to the default system security audit, for key file, we also need to add set file access log, record access to them.

File access there are a lot of options:access to, modify, perform, create, attribute changes… In General, follow the access and modification can play a large monitoring role.

For example, if we monitor the system directory of the modify, create, and even some important file access(例如 cmd.exe that net.exe, the system32 directory), then, the intruder would be difficult to not draw our attention to the case of the placement of the back door. It is noted that the monitoring of the critical files and projects, not too much, otherwise not only increase the burden on the system, but also disrupt the daily log monitoring. Key document not only refers to the system file, also including the possibility for system administrators and other users constitute a hazard of any file, for example, the system administrator’s configuration, desktop files, etc., these are likely to be used to steal system-administrator information and password.

4. Process monitoring

Process monitoring technique is to track the Trojan horse Backdoor another powerful weapon, 9 0% or more of the Trojan and the backdoor is the process in the form of presence. As a system administrator to know the server is running on each process is the responsibility of the(otherwise don’t say security, are associated with the system optimization are not the way to do). Do a each server running processes list is very necessary, can help the Administrator at a glance find the invasion process, the abnormality of the user process or abnormal resource consumption are likely to be illegal process. In addition to the process, the dll is also something dangerous, for example, the original is an exe type of Trojan is rewritten to a dll using rundll32 to run it is more confusing.** 5. Registry check**

In General, Trojan or Backdoor will use the registry to run again himself, so, check the registry to discover the invasion is also commonly used techniques. In General, if an intruder only know how to use the popular Trojan horse, then since ordinary Trojan can only write a few specific key value(such as Run, Runonce, etc.), look up is relatively easy, but for you can write your own or rewrite Trojans, registry of any place to hide, by manual lookup is not possible. Coping method is to monitor the registry for any changes, like rewriting the registry of Trojan there is no way to hide. Monitoring the registry of the software very much, a lot of track down the Trojan horse of software with such a function, a monitoring software plus the regular of the registry backup, in case the registry is not authorized to modify, the system administrator can in the shortest time recovery.

6. Port monitoring

Although not using the port the Trojan has appeared, but most of the backdoors and Trojans, or using a TCP connection, monitor port status for various reasons can not blockade the port of the host to say is very important. For a system administrator to understand your own server on the open port even than the process of monitoring is more important, often use netstat to view the server port status is a good habit, but does not 2 4 hours to do so, and NT security log has a flaw, like recording a machine name rather than IP, if you have neither firewall nor theintrusion detectionsoftware, I can use scripts to perform IP logging, watching for this command:netstat-n-p tcp 1 0>>Netstat. log, this command every 1 0 seconds to automatically view a TCP connection status, based on this command we do a Netlog. bat file:time /t>>Netstat. log Netstat-n-p tcp1 0>>Netstat. log. This script will automatically record the time and TCP connection state, Note:If the site traffic is relatively large, such an operation is needed to consume a certain amount of CPU time, and the log files will become increasingly large, so please be cautious.

Once the abnormal of the port, you can use the special program to the associated port, executable files and processes(such as inzider there is such a function, it can find the server listening port and identify the port associated with the file, inzider from http://www. nttoolbox. com to download), so using either TCP or UDP the Trojan have nowhere to hide.

7. Terminal Services log monitoring

Separate the Terminal Services(Terminal Service)log monitoring disaggregated out there is a reason, Microsoft Win2000 Server Edition comes with Terminal Services Terminal Services is a Remote Desktop Protocol(RDP)tool, it’s very fast, very stable, can become a very good remote management software, but because this software is powerful and only limited by password protection, so it is very dangerous, once the intruder has the administrator password, it is possible to like the machine as the operation of the remote server. Although many people are using Terminal Services for remote management, however, not everyone knows how to Terminal Services for review. Most of the terminal server and not open a terminal login log. In fact, open the log review is very easy, in the admin tool, open the Remote Control Service Configuration(Terminal Service Configration), click on“connect”, right-click you want to configure the RDP service(for example RDP-TCP Microsoft RDP 5.0), select a bookmark“Permissions”, click on the lower left corner of the“advanced”, see above, that“review”? We to join a the Everyone group, which represents all users, and then approve it“connected”,“disconnect”and“logoff”success and the“login”success and failure is enough. Review too much is not good, this review is recorded in the security log, you can from the“Administrative Tools”→“Log Viewer”in the view. Now what when login I have a clear picture, but the catch is:this tattered thing didn’t even record the Client IP(can only view the online User’s IP), but rather pompous record of what the machine name, pour! If someone else from a PIG the name of the machine you had to subject of his mockery, do not know Microsoft is how to think, it seems still can not completely dependent on Microsoft., our own come on, write a program, all done, you will C? Not? VB? It will not? Delphi?.. What? You what programming language are not? I pour, after all the system administrator not a programmer?, don’t worry don’t worry, I’ll give you think of a way, we have to create a bat file called TSLog. bat. This file is used to record login’s IP, as follows:time /t >>TSLog. log netstat-n-p tcp | find “:3 3 8 9”>>TSLog. logstart Explorer. I explain this file meaning:the first line is the record the user login time, time /t mean a direct return system time(without/t, the system waits for you to enter new time), then we use the append symbol“>>

JSON