After the invasion Unix systems to determine the loss and the intruder attacks the source address is very important. Although most intruders know how to use them has been compromised machine as a springboard to attack your server before they launched a formal attack made target information collection (exploratory scan) often work from their machine started, how to analyze this introduction from the invasion of the system logs the intruder's IP and to be determined.
/ Var / adm is UNIX log directory (under linux is / var / log). Under a considerable number of logs stored in ASCII text format, of course, let's focus first of all concentrated in the messages of this file, which is also of concern to the intruder, it records the information from the system level. Here, extensive logging for us is useless.
Apr 25 21:49:30 2000 unix: Copyright (c) 1983-1997, Sun Microsystems, Inc.
Apr 25 21:49:30 2000 unix: mem = 262144K (0x10000000)
Such recording copyright or hardware information is displayed while:
Apr 29 19:06:47 www login : FAILED LOGIN 1 FROM xxx.xxx.xxx.xxx,
User not known to the underlying authentication module
Such records Login failed:
Apr 29 22:05:45 game PAM_pwdb : (login) session opened for user ncx by (uid = 0) so the first step should be Kill -HUP cat `/ var / run / syslogd.pid` (of course, possible intruder has helped us done, ;-) so we do not get any useful information)
In the following website you can find a large number of audit log analysis tools, or feet:
2.wtmp, utmp logs, ftp logs
You can be in / var / adm, / var / log, / etc directory, locate the file named wtmp, utmp, which records the user when and where telnet host, the hacker in the oldest and most popular zap2 ( file name compiled commonly called z2, or called wipe). Also used to erase information in these two files the user is logged in, but because of laziness or poor network speeds (> 3 seconds will cause the collapse of the echo, and I often met 10 times this echo time), many intruders do not upload or compile this file, the administrator is required to use the lastlog command to get the source address of the intruder last connection (of course, this address may be one of their springboard) ftp logs usually / var / log / xferlog, the text file detailed records of www.britepic.org upload files to FTP time, source, file name, and so on. However, because the log is too obvious, so a little more sophisticated intruders rarely use this method to transfer files. Use rcp some of the more common. Of course, you can # cat / var / log / xferlog | grep -v 202.106.147 to see those addresses that should not be there.
After obtaining root privileges, the intruder build their own invasion of account, a more advanced technique is similar to uucp, lp do not use the system user name plus password. After the invasion, even if the intruder deleted. sh_history either. bash_hi-story such a file, execute kill -HUP `cat / var / run / inetd.conf` can remain in memory pages bash command record written back to disk, and then perform the find / -name.sh_historyprint, carefully view each suspicious shell command log. Especially when you are in the / usr / spool / lp (lp home dir), / under usr / lib / (uucp home dir) such directories uucp / find. sh_history file. Intruders often target when needed and working machine to transfer files to avoid being syslog, may use ftp to work from the target machine, so sh_history you may find similar or ftp xxx.xxx.xxx.xxx rcpnobody @ xxx.xxx.xxx.xxx:/tmp/backdoor / tmp / backdoor so shows intruder IP or domain name of the command.
4.http server log
This is probably the most effective way to attack the intruder true birthplace OK. The most popular apache server, for example, the? Under $ / logs / access.log directory you can find this file, which describes a visitor's IP, access time and requesting access to content. After the invasion, we should be able to find in the file similar to the following: record: xxx.xxx.xxx.xxx - - [28 / Apr / 2000: 00: 29: 05 -0800] "GET / cgi-bin / rguest.exe "404 -xxx.xxx.xxx.xxx - - [28 / Apr / 2000: 00: 28: 57 -0800]" GET /msads/Samples/SELECTOR/showcode.asp "404 - from the IP to xxx. xxx.xxx.xxx someone in the April 28, 2000 of 0:28 /msads/Samples/SELECTOR/showcode.asp trying to access the file, which is using the web cgi scanner in the aftermath of the log. Most of the web scanner is based on MS operating system, and for faster, use Unix-based scanner intruders often choose the nearest server. Combined attack time and IP, we can know a lot of information invaders.
5. core dump
This is a relatively complex method, but also effective. A safe and stable daemon running time is not going to dump the core of the system, when the intruder remote exploits, many services are performing a getpeername socket function calls (see socket programming), so the intruder's IP also stored in memory, the service overflow, system p memory page file is to dump core files, which means you may be in a large section of the chaotic character (in fact, a global database of process variable) containing a find there do this expoloit of IP.BTW: this is a reference to the post-http://members.tripod.com/mixtersecurity/paper.html written, I made a long-range attack cmsd test, but only in the middle to find Some commands remote intruder to overflow, and did not find the IP. However, this is still reason to believe that Mixter (paper.html author) words.
6. The proxy server logs
Acting is a medium-sized enterprise network is often used as an interface to do the internal and external information exchange, it faithfully recorded each user accessed the content, of course, also include access to content intruder. The most common squid proxy, for example, you can usually find access.log this huge log files in / usr / local / squid / logs / down, of course, because the log record is added quickly after accidents should be timely backup it. You can get squid at the following address log analysis script: http: //www.squid-cache.org/Doc/Users-Guide/added/stats.html sensitive files by analyzing the access log, you can know who and when these present the secure access content.
7. router log
By default, the router does not record any scan mode and login, so the intruder used it a springboard to carry out attacks. If your enterprise network is divided into military zones and the demilitarized zone, then add the router's log records will help in the future to track the intruder. More importantly, for administrators, such an arrangement can be determined attacker in the end is within or outside the Pirates of the thief. Of course, you need an extra one server to place router.log file.
On the CISCO router:
router (config) # logging faclity syslog
router (config) # logging trap informational
router (config) # logging [server name]
On the log server:
I. joined a line in /etc/syslog.conf:
* .info /var/log/router.log
. II makefile log file:
. III restart syslogd processes:
kill -HUP `cat / var / run / syslogd.pid`
For an intruder, in an attack the whole process does not attempt to establish tcp connection target is unlikely, there are many subjective and objective reasons intruder, and the attack is not very difficult to leave a log of. If we spend enough time and effort, we can analyze the desired information from a large number of logs. On the intruder's behavior in terms of mental permissions they have made on the target machine the greater, the more they tend to be conservative way to build connections with the target machine. Careful analysis of the early log, especially the part containing the scan, we can have a greater harvest.
Log audit only as a passive means of defense after the invasion. Initiative is to strengthen their own learning, time to upgrade or update the system. Be prepared is the most effective way to prevent the invasion.