2023 Network Protection Diary
1. Monitoring equipment
2. Work content
3. Security incidents
1) Troubleshooting of compromised hosts
2) Backdoor website repair
4. Alarm traffic analysis
1) Information Leakage
2) SQL injection
3) File upload
4) XSS (cross-site scripting)
5) Code Execution
This year’s “HW” operation officially started recruitment!
Generally speaking, when people sit in front of the computer, everything is calm, and a few warnings pop up from time to time.
But when it’s time to change shifts or go to the bathroom, hundreds of alerts will suddenly appear.
I once wondered if our camera had been hacked and started attacking as soon as I saw me leaving.
If you ask me what is the biggest achievement of HW this year, I will definitely say: I gained a strong bladder! ! !
1. Monitoring equipment
The first is equipment. (I) There are two main security products used by HW this time: Tianyan and Jiaotu.
[External link image transfer failed, the source site may have anti-theft protection
The full version of the learning materials for protecting the network. If you need it, you can click the link below to get it for free [Guaranteed 100% free]
CSDN gift package: "Introduction to Network Security & Protecting the Network" Learning Resource Pack》Free Sharing
Sky Eye is responsible for traffic analysis and is deployed on the bypass to monitor, analyze and trace the traffic mirrored by the switch.
Jiaotu is responsible for the system protection of the server. Through the client installed on the server, it sends the collected host information to the control center for centralized analysis.
2. Work content
The defender is mainly divided into three groups: security monitoring group, incident analysis group, and emergency response group.
1) The monitoring group analyzes the alarms of the security equipment. If it is determined to be an attack, it will be submitted to the disposal group to block the IP address; if it cannot be analyzed, it will be submitted to the research and judgment group for analysis.
2) The research team is responsible for analyzing whether the alarm submitted by the monitoring team is an attack. If necessary, it can visit the victim website to reproduce the attack, or contact the person in charge of the victim website to verify whether it is a normal business/human operation.
3) The disposal team is mainly responsible for blocking IPs. If it is a webshell attack, it is also necessary to contact the person in charge of the victim website to help repair the vulnerability or strengthen the website.
Three groups carry out collaborative protection through the command and dispatch management system:
The first thing everyone does when working is to log in to the management system. The monitoring group submits the attack/victim IP, Alarm type and payload, the disposal team/research team will ban the IP/analyze the alarm event when they see a new alarm on the management system.
In principle, as a security monitoring team, I only need to keep an eye on the security equipment, conduct a brief analysis and submit an alarm.
Since I am the only one working in the company, I will be called over whenever there is anything related to our products.
Therefore, in addition to device monitoring, my work also includes but is not limited to: analyzing webshell files, analyzing virus and Trojan files, upgrading/reinforcing security products, performing backdoor scanning and virus killing on compromised hosts , and assist in repairing and strengthening compromised websites. . .
3. Security Incidents
Well, leaving aside the toilet, let’s share a few attack incidents that left a deep impression:
1) Troubleshooting of compromised hosts
Qingteng Cloud’s honeypot detected that a user’s computer accessed port 80 of the honeypot. After the user disconnected from the Internet, use 360 and Tinder to check and kill After being infected with three poisons, I went online again, but the honeypot was violated again. The user scanned it again with 360 and Tinder, but nothing was found, so he called me to handle it.
I was confused at that time: Is this what I am supposed to do as a security monitor?
But I couldn’t stand a group of people staring at me, so I had to bite the bullet and do it
First, I scanned the webshell and backdoor files with Jiaotu.
After confirming that there is no backdoor, use a dedicated killing tool to scan the entire computer and find 7 viruses.
Throw it to the TI Threat Intelligence Center for identification, and it is determined to be a high-risk virus.
Then submit it to the second line for virus analysis, and confirm that it is a remote control Trojan virus, which is related to the alarm that triggered the honeypot.
Finally, I deleted the virus and went online again, and no more abnormalities occurred.
2) Backdoor website repair
Jiaotu detected the existence of a webshell on a server, notified the user to urgently offline the website, and started troubleshooting and reinforcement.
A group of people gathered around and analyzed the situation for a long time, and then threw the matter to me as a matter of course: "Of course you have to deal with your equipment~"
The old rule is to scan the webshell and backdoor with the pepper picture first, and then scan out a webshell in the Temp directory.
After checking with the user's developer, it was confirmed that it was not a business file, but that someone had uploaded the file.
So I deleted the webshell, canceled all user permissions in the Temp directory, and turned on all the protection of this server on Jiaotu (default only detects but does not intercept).
The development also temporarily closed the upload function and then prepared to go online again.
As a result, after going online, the website could not be accessed. . .
After redeploying the project n times and replacing two backup servers, the time has reached six o'clock in the morning, which is still three hours away from the stipulated online time.
"If that doesn't work, let's just write a static homepage to jump to 404, and jump to 404 for every function we click. At least, they won't suspect that it's our problem for a while, and we won't You can spend more time troubleshooting the problem."
The corners of Kaifeng's mouth slowly raised, and the light in his empty eyes lit up again.
Unfortunately, these words were overheard by the project manager. Amidst the manager's condemnation, I saw that the developer's eyes slowly dimmed until there were only two black eye sockets left.
Maybe it was because I didn't go to the bathroom all night. When I switched to the third backup server, the website was finally restored.
Afterwards, I asked the development team: "Why didn't your operation and maintenance team come over?"
"I am operations and maintenance."
"What about development?"
"Development is me too."
"???, then, your project team..."
"Only myself~"
4. Alarm traffic analysis
On average, there are more than 3,000 alarms a day, but most of them are false alarms. Next, I will share some simple alarm traffic characteristics.
1) Information leakage
Check whether there are special files or paths in the access path.
For example, access the backup file .zip
Access the default file
or a special type of file
If the customer authorizes it, they can access the path and check whether the returned results contain sensitive information to determine whether the attack is successful.
2) SQL injection
Check whether the request parameters, request headers or request bodies contain SQL statements or keywords.
For example, the GET request contains SQL statements (joint query injection):
The request header contains SQL statements:
The POST request body contains SQL Statement:
In order to facilitate bypassing, the case or encoding of SQL keywords will also be changed.
For example: case bypass:
Encoding bypass:
If the customer authorizes it, the payload can be reproduced, and whether the injection is successful can be determined based on the return result and response time of the page.
3) File upload
Check whether the request body contains code content:
If the response body contains the words "success" or "success", or there is The access record of this file indicates that the webshell upload is successful.
4) XSS (cross-site scripting)
Check whether the request parameters or request body contain JavaScript code:
![[External link image transfer failed. The source site may have an anti-leeching mechanism. It is recommended to save the image and upload it directly (img-l0tT5R8A-1684748428617) (C:\Users\admin\AppData\Roaming\Typora\typora-user-images\ image-20230522173423302.png)]](https://img-blog.csdnimg.cn/0f2d5e30dc0a44faa54e5db1bbcde9e2.png)
Copy the response body data to Execute in the file. If a pop-up window pops up, it means the attack is successful.
If there is no pop-up window, use Ctrl+F to search for JS code. Common ones are:
5) Code execution
See the request Whether the parameters, request headers, and request bodies contain malicious code.
For example, the request body contains PHP code:
Dedecms V5.7 background arbitrary code execution:
Fastjson deserialization vulnerability attack: a>
ThinkPHP 5.0.x—5.1 remote code execution:
————————————————
The full version of the learning materials for protecting the network. If you need it, you can click the link below to get it for free [Guaranteed 100% free]
CSDN gift package: "Introduction to Network Security & Protecting the Network" Learning Resource Pack》Free Sharing
For students who have never been exposed to network security, we have prepared a detailed learning and growth roadmap for you. Comparing the most systematic learning routes of government agencies and units, it will be no problem for everyone to follow this general direction.
At the same time, supporting videos are provided for each section corresponding to the growth route:
Video supporting materials &domestic and foreign network security books, documents & tools a> Due to limited space, only part of the information is displayed. You need to click on the link below to obtain it:
Of course, in addition to supporting videos, we have also organized various documents, books and tools for you, and have divided them into categories for you. 