0x0 background
Attack source tracing as an important part of security incident response in hindsight, by the injured assets and network traffic reduction attackers and attack path analysis technique to some extent, help to fix bugs and avoid the risk of secondary events. Knowledge can be converted into a defensive attack advantage, if we can be proactive and predictable, are better able to control the consequences.
Talking: Why was hacked must know how to be black to be black, not so unclear.
0x1 main idea
Among the traceability process except when the relevant technical means other than, first still need to confirm a whole way of thinking. Abnormal points and gives an overall analysis of several possible solutions based on the actual environment, so deal with the problem from the opposite spectrum can ease a heart, hands not panic.
Conventional occur, easily perceived by the user outlier example as follows:
- Web page has been tampered with, was hung black chain, web files are missing, etc.
- Database has been tampered with, web system operation anomalies affect availability, web user password has been tampered.
- Host running abnormal reaction appears Caton, the file is encrypted, and so other users on a host system
- Host a large number of abnormal traffic flow layer
According to the site's user often you need to do some work such as information gathering, abnormal point in time (very important), the main business of abnormal server, a network topology is generally not in the DMZ area, whether public network access, open those ports, is there patch, how about using a web technology, whether done anything recently changed, there is no safety equipment and the like.
According to information gathered, often we can draw several possible. A web server on the public network can access the event is linked to the emergence of the black chain uses s2 framework, initially suspected to be the class of s2-045 s2-046 of the command execution vulnerability; if a public network server does not have the patch installed and no firewall protection, administrator password to P @ sswrod then there is a strong possibility brute success; behind the main job is to collect all kinds of information to prove this conjecture.
0x2 web system
Last himself deployed a web system in VPS above, looked at the back are basically web access log system scans a lot of events every day, path detection, EXP scanned document traversal everything up special screening of a headache.
General web security event class can usually find some clues in a web log them, clear the log this kind of thing, after all, not every hacker will be dry.
Several common middleware log is as follows:
- Apache log path generally disposed at or in the directory httpd.conf / var / log / http
- IIS log by default in the Logfiles directory under the system directory which
- tomcat tomcat is generally located in a logs files are installed under the following directory folder
- Nginx logs generally disposed nginx.conf conf file or the vhost
Logs are generally named by date for easy follow-up audit and security personnel for analysis.
工欲善其事必先利其器, generally relatively large amount of logs. On the Internet there are a lot of log inspection tools, personally do not like to use the main tool for this case or notepad ++ and Sublime Text follow up on the information collected, such as point of time, the request log analysis before and after the point of time, generally can find some abnormal.
To facilitate the identification of some of the logs, github, there are many open source projects dedicated to log in to find security-related attacks, or statistics. Because many scanners will be more, a check will often find a lot of ineffective attack, but screening them feel more trouble.
Recommend a small tool: web-log-parser is an open source web log analysis tools, using python language development, with a flexible log format configuration. More excellent project, turnip greens all have love you like better, it is impossible to rule out a definition of their own good.
Connected as follows: https://github.com/JeffXue/web-log-parser
To deal with some access visit, when pages change, upload path, source IP and the like are better able to collect. By identifying some of the critical path, in conjunction with certain information is often able to locate the entry point.
Some common entry point for example as follows:
- Some CMS's EXP, such as some command Discuz Empire Spring, being executed, permission to bypass the logical loopholes as it is more common, many online are open so covers a relatively wide.
- Upload vulnerability editor, such as the well-known FCK editor, UEditor and the like.
- Upload filtering functionality is not strict, such as picture upload data upload interface of some strict filtering upload vulnerability caused.
- Weak passwords in Web system admin account or user tomcat manager of weak passwords, Axis2 weak user passwords, Openfire weak passwords, etc.
While web systems are often easier there are some cases webshell often find in some webshell upload directory, obviously it is a JSP pages also appeared php of a sentence. General need to focus on. Recommended web directory systems scanned with D Shield.
Scan time out of webshell upload time, file creation time, file modification time tend to have higher accuracy, generally you do not go to change this time, which is used to log the investigation is relatively easier.
0x2 host system
It had previously been spread some ways think a lot of funny actually worm came just rely on brute force and vulnerability in MS17-010 and the like, the feeling should be relatively small magnitude of the back only to find that the most effective method is simple but brutal.
Linux platform for a number of relatively high security, several common viruses such as XorDDOS, DDG, XNote series of common and rely on brute force to spread, traceability of the process is also important consideration brute force.
Examples of some common log follows:
/var/log/auth.log 包含系统授权信息,包括用户登录和使用的权限机制等信息
/var/log/lastlog 记录登录的用户,可以使用命令lastlog查看
/var/log/secure 记录大多数应用输入的账号与密码,登录成功与否
/var/log/cron 记录crontab命令是否被正确的执行grep, sed, sort, awk several commands with flexibility, attention Accepted, Failed password, invalid special general keywords can easily find some clues as follows:
Some attackers often forget to clear the log, it is convenient to be able to view detailed. A history command, hackers operating a glance.
Of course, after some scripts tend to perform over the last example, the following will clear the log so often increased the difficulty, the log is cleared often all the more abnormal the. You can focus on those logs look left, look at the network level or not there are other safety equipment may be traceable analysis of the traffic layer.
Everything is a file from Linux and open source characteristics, in the process of traceability also have advantages and disadvantages, rootkit is the most troublesome thing up. Because the system of some commonly used commands in plain text have been changed and replaced, this system has become thoroughly discredited, in the course of the investigation of traceability is often not easy to find personnel security services have a higher technical requirements.
The following Windows platforms relatively easy course, traceable to mainly rely on the windows generally open Event Viewer logs with eventvwr command. Default divided into three categories: the% systemroot l Application, Security, System of a file stored in the form evt% \ system32 \ config directory
Rational use of filters can often help us better troubleshoot log, such as suspected brute invasion screening event ID == 4625 log audit failures, through follow-up investigation to time, as well as the source IP address, type and frequency of requests were analysis to determine whether the brute force from within the network
To judge by the internal system logs whether the state is running a malicious process
The numerical confirmation of logontype can confirm that in the end is what the agreement by violent break success. Opposing numerical relationship is as follows:
local WINDOWS_RDP_INTERACTIVE = "2"
local WINDOWS_RDP_UNLOCK = "7"
local WINDOWS_RDP_REMOTEINTERACTIVE = "10"
local WINDOWS_SMB_NETWORK = "3"Below is a typical SMB authentication failures:
Windows patch system is relatively important than others, some key patches did not play very vulnerable to successful attacks. Focus on some of the common concerns such as security patches and other ms17-010 ms08-067 ms16-032 within the network penetration are commonly used in the attack packets. You can view the patch may be among the current system has been installed by sysintemfo.
In addition the windows below also includes many security log of the domain controller, because the content is no longer much the narrative and traceable mainly want to restore the attacks path to try to understand the relationship between the attacker access through the windows log chain attack, giving the user an explanation enough.
0x3 other commonly used systems
Some database systems are also the hardest hit by the attacker entry points, such as common msssql server because the data tend to have a higher authority after the installation window environment, after the completion of some users often do not how to reinforce database installation, based on the separation Depot many of the principles mssql public network can directly access an access control policy is relatively weak, weak password problem is particularly prominent.
For example under the mssql sa brute force user log, which also recorded the client's IP address if there is no configuration-related password lockout policy under stringent conditions easily compromised enough.
An attacker can often start xp_shell execute system commands with elevated privileges after blasting success, to get a windows shell would not do whatever they want.
Linux platform followed by a redis also very popular, a few years on the issue of unauthorized access by default after the installation was relatively widely spread. Events such as the recent period of relatively popular DDG mining, WatchDog mining and other viruses mainly use redis unauthorized access to execute commands, pull from the Internet mining program written ssh public key functions.
6379 saw the local open ports or when the need to focus on this issue, and more advice to users about the use of a look at the default configuration.
There are some commonly used systems such as mysql database brute mention the right to a suit, hadoop unauthorized access vulnerabilities, phishing, backdoor cases cracked software, malicious macro office, office code execution vulnerability mailbox defects, VPN configuration defects are possible attacker entry point with the current situation where a user requires specific investigation.
0x4 summary
The last is to say that safety is essentially a contest between people, for many security incidents directed attacks estimated to troubleshoot them more interesting, host of the log is cleared out traffic levels throughout the tunnel traffic on the Ha ha.
Standing offensive and defensive point of view to do the mental model of the attacker emergency, may be thinking of more ways attackers often use posture, vulnerabilities and commonly used methods of attack and then the data to be verified are not limited to known vulnerabilities and let other issues, if we can be proactive and predictable, are better able to control the consequences, but said the process can also be found in several 0day a pleasant surprise.
