黑客送服务器:如何通过Web服务器记录查找黑客攻击来源: 发布时间:星期六, 2009年9月12日 浏览:12次 评论:0
来自:信息学院
摘要:本文主要讲述如何分析Web服务器记录 ![]() ![]() ![]() ![]() ![]() ![]() ![]() 现今 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() Web服务器 ![]() ![]() ![]() ![]() Web服务是Internet所提供最多 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() 1、默认 ![]() 对于IIS ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() Apache ![]() ![]() ![]() ![]() ![]() ![]() ![]() 2、收集信息 我们模拟黑客攻击服务器 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() C:>nc -n 10.22.1.100 80 HEAD / HTTP/1.0 HTTP/1.1 200 OK Server: Microsoft-IIS/4.0 Date: Sun, 08 Oct 2002 14:31:00 GMT Content-Type: text/html Set-Cookie: ASPSESSIONIDGQQQQQPA=IHOJAGJDECOLLGIBNKMCEEED; path=/ Cache-control: private 在IIS和Apache ![]() IIS: 15:08:44 10.22.1.80 HEAD /Default.asp 200 Linux: 10.22.1.80- - [08/Oct/2002:15:56:39 -0700] "HEAD / HTTP/1.0" 200 0 以上 ![]() ![]() ![]() ![]() ![]() 3、Web站点镜像 黑客经常镜像 ![]() ![]() ![]() ![]() ![]() ![]() 下面我们看使用这两个工具后在服务器记录里 ![]() 16:28:52 10.22.1.80 GET /Default.asp 200 16:28:52 10.22.1.80 GET /robots.txt 404 16:28:52 10.22.1.80 GET /header_protecting_your_privacy.g ![]() 16:28:52 10.22.1.80 GET /header_fec_reqs.g ![]() 16:28:55 10.22.1.80 GET /photo_contribs_sidebar.jpg 200 16:28:55 10.22.1.80 GET /g2klogo_white_bgd.g ![]() 16:28:55 10.22.1.80 GET /header_contribute_on_line.g ![]() 16:49:01 10.22.1.81 GET /Default.asp 200 16:49:01 10.22.1.81 GET /robots.txt 404 16:49:01 10.22.1.81 GET /header_contribute_on_line.g ![]() 16:49:01 10.22.1.81 GET /g2klogo_white_bgd.g ![]() 16:49:01 10.22.1.81 GET /photo_contribs_sidebar.jpg 200 16:49:01 10.22.1.81 GET /header_fec_reqs.g ![]() 16:49:01 10.22.1.81 GET /header_protecting_your_privacy.g ![]() 10.22.1.80是使用Wget ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() 4、漏洞扫描 随着攻击 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() IIS 12:07:56 10.22.1.81 GET /SiteServer/Publishing/viewcode.asp 404 12:07:56 10.22.1.81 GET /msadc/samples/adctest.asp 200 12:07:56 10.22.1.81 GET /advworks/equipment/catalog_type.asp 404 12:07:56 10.22.1.81 GET /iisadmpwd/aexp4b.htr 200 12:07:56 10.22.1.81 HEAD /scripts/samples/details.idc 200 12:07:56 10.22.1.81 GET /scripts/samples/details.idc 200 12:07:56 10.22.1.81 HEAD /scripts/samples/ctguestb.idc 200 12:07:56 10.22.1.81 GET /scripts/samples/ctguestb.idc 200 12:07:56 10.22.1.81 HEAD /scripts/tools/ ![]() 12:07:56 10.22.1.81 HEAD /msadc/msadcs.dll 200 12:07:56 10.22.1.81 GET /scripts/iisadmin/bdir.htr 200 12:07:56 10.22.1.81 HEAD /carbo.dll 404 12:07:56 10.22.1.81 HEAD /scripts/proxy/ 403 12:07:56 10.22.1.81 HEAD /scripts/proxy/w3proxy.dll 500 12:07:56 10.22.1.81 GET /scripts/proxy/w3proxy.dll 500 Apache 10.22.1.80-[08/Oct/2002:12:57:28 -0700] "GET /cfcache.map HTTP/1.0" 404 266 10.22.1.80-[08/Oct/2002:12:57:28 -0700] "GET /cfide/Administrator/startstop.html HTTP/1.0" 404 289 10.22.1.80-[08/Oct/2002:12:57:28 -0700] "GET /cfappman/index.cfm HTTP/1.0" 404 273 10.22.1.80-[08/Oct/2002:12:57:28 -0700] "GET /cgi-bin/ HTTP/1.0" 403 267 10.22.1.80-[08/Oct/2002:12:57:29 -0700] "GET /cgi-bin/dbmlparser.exe HTTP/1.0" 404 277 10.22.1.80-[08/Oct/2002:12:57:29 -0700] "HEAD /_vti_inf.html HTTP/1.0" 404 0 10.22.1.80-[08/Oct/2002:12:57:29 -0700] "HEAD /_vti_pvt/ HTTP/1.0" 404 0 10.22.1.80-[08/Oct/2002:12:57:29 -0700] "HEAD /cgi-bin/webdist.cgi HTTP/1.0" 404 0 10.22.1.80-[08/Oct/2002:12:57:29 -0700] "HEAD /cgi-bin/handler HTTP/1.0" 404 0 10.22.1.80-[08/Oct/2002:12:57:29 -0700] "HEAD /cgi-bin/wrap HTTP/1.0" 404 0 10.22.1.80-[08/Oct/2002:12:57:29 -0700] "HEAD /cgi-bin/pfdisplay.cgi HTTP/1.0" 404 检查这种攻击 ![]() ![]() ![]() ![]() ![]() ![]() ![]() 5、远程攻击 下面我们以针对IIS ![]() ![]() ![]() ![]() ![]() 17:48:49 10.22.1.80 GET /msadc/msadcs.dll 200 17:48:51 10.22.1.80 POST /msadc/msadcs.dll 200 当攻击发生后 ![]() ![]() ![]() 另 ![]() ![]() ![]() ![]() ![]() 17:50:13 10.22.1.81 GET /default.asp+.htr 200 对于未授权访问 ![]() ![]() [08/Oct/2002:18:58:29 -0700] "GET /private/ HTTP/1.0" 401 462 6、整理总结 管理 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() IDS(入侵检测系统)能帮助你很多 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() 0
相关文章读者评论发表评论 |