This year, I have been busy with big and small things, and I rarely have time to calm down and write an article, so the blog updates have become less and less recently. The company's security team is now on my side, and has been recruiting people desperately. There will be an Internet finance conference on the 8th of next month. In April, at the qcon Beijing station, everyone will share things as guests. This time also needs to be prepared.
I have received dozens of resumes before and after. I hope to find all-round talents with [programming + operation and maintenance + security] . Generally, the resumes that come are either only for infiltration, or for infiltration and programming, but no Most of the basic operation and maintenance capabilities have no emergency experience.
It will be too late, take some time to write down [web backdoor investigation and efficient analysis of web log skills in emergency response], about the system backdoor and some other logs Even the backdoor of the system is not checked and emergency response is said.
Example event scenario:
The homepage of the XX company's website was hijacked by a search engine and jumped to the gaming website. The technical director of XX company found the situation at 9:10 in the morning and contacted our company, hoping to give them a remote emergency. The demand is [clear the web backdoor, Analyze the vulnerabilities and processes of the intrusion, and make security recommendations].
First of all, what needs to be thought of according to the scene, the current phenomenon of XX company's website, the time when the problem was found, and their needs.
It has been known that the homepage of XX company's website has been hijacked by search engines. Generally, there are three ways:
1. js jump, use js to identify the search engine for jump.
2. Script codes such as php/asp are used to identify search engines for jumping.
3. The webserver configuration file code identifies the search engine for jumping.
These three situations are relatively common, and I have encountered a lot in the emergency response. The first point we need is how the hacker hijacks the hijacking. We assume the first one here, then the hacker has two The first is to directly modify the webpage file to insert the code, and the second is to write the code in the database, and then the website will read and display it on the webpage normally. Here we assume that it is by modifying the file, because this is the most common, here we can receive a message, the last modification time of the home page file, this time is the time A after hacking, of course, the time of this file may also be changed. If this time is changed, we still have time B at 9:10 in the morning.
The first thing to do is to check the web backdoor . You can start from several aspects.
1. The web backdoor killing software
can be found on my blog. I recommend D shield on windows. I have a small script on linux, but it is very simple to write and the effect is average. In addition, I wrote a relatively satisfactory one for the company, but Can't let it go, haha.
2. The last modification time of the file
can be checked through the command to check the script file that has been modified after a certain time point, and then check whether it is a web backdoor.
3. The most stupid method to slowly analyze the log according to the approximate time
. Don't use this method unless you have to. It is time-consuming and not direct. Because the general websever does not record POST, COOKIE, etc., only experienced people can see from the URL.
The second thing is to find the exploits of the intrusion .
Suppose we find the backdoor seay.php and action.php, etc., and then check the last modification time of the backdoor. If this time is not modified by the intruder later, then this time is the intrusion time. Go directly to the log to find the time near this time. Just log. Even if it has been modified, it's fine. Simply search the web log for the file name of the web backdoor, and you can efficiently locate the intrusion time and IP.
那么现在已经找到入侵者的入侵时间和IP,接下来的一个技巧,怎么快速提取入侵者的行为日志,那就是通过入侵者IP检索出所有这个IP的日志,然后就可以很顺利的找到漏洞所在了。