That's a good time to do network management. If you are a webmaster, how can you trace the source of the problem? Program problems go to view the "event viewer", if it is IIS problem is of course to view the IIS log! The system32 low logfile of the system folder has all the IIS logs, which are used to record all access records of the server. Because it is a virtual host user, each user is configured with a separate IIS log directory. From the log files inside, the intruder can infiltrate the BBS data, so all the logs about the time period are downloaded and analyzed. I don't know much about myself! Hahaha, this time I know how the intruders invaded my BBS.
(intrusion Diary 1)
From the first days the log can be found in the intruder has long been on my BBS lining of the. And more than one intruder is so simple, and a lot more. The first day of the IIS log is all using the garbage data left by the program scan background.
Figure 1
Look at the above log to find out that the intruder 61.145.***.*** uses the program constantly in the background scanning the page, it seems Use the background login vulnerability to enter the background management layout of the BBS. It is a pity that the intruder seems to have no idea, and the numbness of the program is used as a help to find the background, and there is no function of intrusion.
(Intrusion Log 2)
Checked the log of the next day. At the beginning, there was nothing special about the normal user access log. When the middle section was found, the problem was found and found a Use the program to find the IIS action record of the specified file.
Figure 2
From the above information, the intruder found 61.141.***.*** is also using the program to scan the specified upload page to determine the intrusion target Whether these pages exist and then invade the upload vulnerability. There is also the scanning of the default database of the mobile network, some of the more commonly used Trojan names, it seems that this intruder thought that my BBS is Ma Fang, scanning so many Trojan files can find a miracle. Going down and finally found out, the intruder 61.141.***.*** was blacked out before the action page of my website, first created a Myth.txt file in the Forum folder directory, and then Forum's folder directory is regenerated into a Trojan Akk.asp
Figure 3
Log record Next, I saw all the operations records of the invaders using the akk.asp Trojan.
invasion in detail as follows:
GET /forum/akk.asp - 200
use marginalia site webshell backdoor generate akk.asp
in Forum folder
GET /forum/akk.asp d=ls.asp 200
Intruder login backdoor
GET /forum/akk.asp d=ls.asp&path=/test&oldpath=&attrib = 200
Enter the test folder
GET /forum/akk.asp d=e.asp&path=/test/1.asp&attrib= 200
Use the backdoor to modify in the test folder 1.asp file
GET /forum/akk.asp d=ls.asp 200
GET /forum/akk.asp d=ls.asp&path=/lan&oldpath=&attrib = 200
Enter the lan folder
GET /forum/akk.asp d=e.asp&path=/lan/index.html&attrib= 200
Modify the lan folder with the edit command Home page file
GET /forum/akk.asp d=ls.asp 200
GET /forum/akk.asp d=ls.asp&path=/forum&oldpath=&attrib= 200
Enter the BBS folder (this is really going to the BBS directory)
POST /forum/akk. Asp d=up.asp 200
GET /forum/akk.asp d=ls.asp&path=/forum&oldpath=&attrib= 200
GET /forum/myth.txt – 200
Upload myth.txt file in the forum folder
GET /forum/akk.asp d=ls.asp&path=/forum&oldpath=&attrib= 200
GET /forum/Akk.asp d=e.asp&path=/forum/myth.txt&op=del&attrib= 200
POST /forum/akk.asp d=up.asp 200
GET /forum/myth. Txt – 200
Use the back door to modify the myth.txt file in the Forum folder directory. Later, Ubb.asp was built using the webshell of the side-by-side website. The back door of akk.asp was used to modify the front page, and the home page was backed up. I am dizzy, I don't understand what the intruder is all about, and I use the webshell for it all day, but I really can't figure it out.
log analysis summary:
invaders Capitol is the use of tools, first determine the vulnerabilities that may exist BBS page, tested and found to not intrusion, then turned to invade the server, using the special marginal notes The program or a specific program for website intrusion, get the primary webshell, and then access the folder to invade my BBS system to modify the home page, because it is based on the IIS log of my space for analysis, so it is not clear that the intruder is Which website to use for which page to invade! However, the data that has been completed has been collected, and the IP address of the intruder invading the BBS and the Trojan used (written by Xiaolu) have been determined, and a large number of intrusion records have been left. The entire log tracking process is complete, the technical content of this article is not high, just hope that you can know that the invasion and intrusion are traceable.
Analysis log summary:
Intruders use tools to step on the point, first determine the possible vulnerability page of BBS, after testing, they can not invade, and then turn to server intrusion Use a side-by-side program or a specific program to invade the website, get the primary webshell, and then access the folder to invade my BBS system and modify the home page, because it is based on the IIS log of my space. So it is not clear which website and which page the intruder used to invade! However, the data that has been completed has been collected, and the IP address of the intruder invading the BBS and the Trojan used (written by Xiaolu) have been determined, and a large number of intrusion records have been left. The entire log tracking process is complete, the technical content of this article is not high, just hope that you can know that the invasion and intrusion are traceable.
Ubuntu entertainment features have been very good, nothing more than watching movies, listening to s
BGP room origin BGP (Border Gateway Protocol) is a routing protocol used to connect to independent s
Let your website open second, enable for IIS "content expiration&&&;quo; Wha
The Web server is built on the line, and it can carry large amount of traffic, res
How to manage your backup server?
Skills delivery: three moves to improve the security of the FTP server
Windows 2000 server IIS open the parent path step
Top 10 Practical Shortcuts for Windows Server 2012
Server Dictionary: What is a cluster server?
MySQL server optimization in Linux environment
Apache server uses .htaccess file to set anti-theft chain
Http header header information parameters explain
Serv-U8.0 adds the skills of anonymous users
The key to server virtual integration: management automation
How does Win7 hide icons? How to hide desktop icons
How to modify the working group of Windows7 system
Win10 open VC6.0 error Win10 open VC6.0 program crashes how to do?
The little secrets of the win7 folder that you didn't know about
How win10th2 upgrade update? Win10 TH2 official version upgrades in
What if the notebook Win7 microphone has no sound?
Windows7 system skills: library (library) use
How to disable the folder on the desktop of windows7 computer