Shulou(Shulou.com)06/01 Report--

This article introduces the relevant knowledge of "how Unix analyzes the intruder's IP from the log of the invaded system". In the operation of actual cases, many people will encounter such a dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

Although most intruders know how to use machines that have been compromised by them as a springboard to attack your server, the target information collection (exploratory scanning) done before they launch a formal attack often starts from their workmachines, this article describes how to analyze and determine the intruder's IP from the logs of the invaded system.

1.messages

/ var/adm is the Unix log directory (/ var/log under Linux). There are quite a few logs saved in ASCII text format. Of course, let's first focus on the file messages, which is also of concern to intruders, which records information from the system level. Here, a lot of logging is useless for us.

For example:

Apr 25 21:49:30 2000 Unix: Copyright (c) 1983-1997, Sun Microsystems, Inc.

Apr 25 21:49:30 2000 Unix: mem = 262144K (0x10000000)

This displays a record of copyright or hardware information and:

Apr 29 19:06:47 www login [28845]: FAILED LOGIN 1 FROM xxx.xxx.xxx.xxx

User not known to the underlying authentication module

Such login failure records:

Apr 29 22:05:45 game PAM_pwdb [29509]: (login) session opened for user ncx by (uid=0) so the first step should be Kill-HUP cat `/ var/run/ syslogd.pid` (of course, it's possible that the intruder has already done it for us,; -) so we don't get any useful information)

You can find a large number of log audit analysis tools or feet at the following URL:

Http://www.securityfocus.com/templates/tools_category.html?category=2&platform=&path=[%20auditing%20][%2-0log%20analysis%20]

2.wtmpju utmp logs,ftp log

You can find a file called wtmp,utmp in the / var/adm,/var/log,/etc directory, which records when and where the user hosts the telnet, the oldest and most popular zap2 among hackers (the compiled file name is generally called Z2, or wipe). It is also used to erase the login information of users in these two files. However, due to laziness or poor network speed (echo > 3 seconds is crashing, and I often encounter 10 times the echo time), many intruders do not upload or compile this file. All the administrator needs is to use the lastlog command to obtain the source address of the intruder's last connection (of course, This address may be a springboard for them.) the ftp log is usually / var/log/xferlog, a text file that details when the file was uploaded in FTP, source, file name, and so on. However, because the log is so obvious, slightly smarter intruders rarely use this method to transfer files. The use of rcp is more common. Of course you can # cat / var/log/xferlog grep-v 202.106.147. To check the addresses that should not appear.

This is the end of the content of "how Unix analyzes the IP of intruders from the logs of invaded systems". Thank you for reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.