Shulou(Shulou.com)06/01 Report--

Very much to the customer's website and the server were attacked, hacked, left behind a lot of webshell files, also known as website Trojan files, customers are also very worried about the security of their own website, worried that the site will continue to be attacked and tampered with, after all, there is no professional security technology to be responsible for the security of the website, through the introduction of old customers, many customers find us SINE security to do the website security service after the website is attacked. Prevent malicious attacks and tampering. Carry on the comprehensive defense and reinforcement to the website, while we carry on the security deployment to the customer website, the customer often wants to know the website in the end, and how the server is invaded, and who is the attacker's IP, then our SINESAFE technology aims at this situation, the best way is to analyze through the log, trace the source, help the customer find the source of the website loophole, who is attacking them in the end. Let's share how we analyze and trace the log.

First of all, the customer's website and the server system have the log access function, and the website has the access log function of IIS,NGINX,APACHE. Through a comprehensive manual security analysis and audit of the log files, we can trace the root cause of the attack on the source website and the attacker's IP. Our SINE security technology is also very uncomfortable when we analyze and view hundreds of megabytes of logs that may be G-sized. When so many log records are searching for specific feature words, the log will get stuck, and Catton will take at least a few minutes, which is very delaying. after more than ten years of experience accumulated from log audit, we have summed up a set of our own log analysis methods and scripts.

First of all, summarize the keyword search function of the log, the role of using keyword search log is to quickly find the traces of the website attacker, such as the Trojan file address webshell address, website access time, browser characteristics, IP, and so on can be quickly found. The method used by log analysis is to drag the log file to the log analysis tool / LOG folder, run the log .py file, and then open it. The default search keywords can be positive rule matching, and can belong to up to two characteristic words. When the search result is obtained, it can be exported to any computer directory with the name safe.txt. For example, you can search for the relevant 404 page signature, as shown below:

For example, searching for the IP address can also be carried out to search all the logs containing the IP records and export them to safe1.txt, named by the name and so on. During the actual attack source analysis, we will first search the file time when the website was attacked and tampered with. Through the file modification time, we will trace all the website access logs in this period of time, as well as the server logs. Including that the server may be hacked, the system drives the Trojan horse, remotely tamper with the file and code of the server, then find and record the suspicious visits, and search for keywords on the IP in the log, retrieve all the visits to the website by the IP and save them to the computer, and then analyze the log to find out where the problem lies. Our SINE security technology will also search for other characteristic keywords to trace the source of the attack, and search for the name of the uploaded webshell file, as well as the browser characteristics of the attacker, including some websites are basically GET visits, and search the access records of POST as characteristic keywords.

Through the log methods analyzed above in our SINE security technology, we can trace the source to find the attacker's IP, and how the website was attacked, and the root causes of the server being hacked can be analyzed through the log. For the details of the vulnerabilities, we need to do penetration testing services to detect the current vulnerabilities of the website and the server, including logic vulnerabilities, ultra vires vulnerabilities, file upload vulnerabilities, SQL injection. XSS cross-site, remote code execution, files contain vulnerabilities. If you do not know much about the website and the server, you can find a professional network security company to help you solve it, such as SINESAFE, Qiming Star, Green Alliance, Eagle Shield security are relatively famous in China, to ensure the safe and stable operation of the website server is also the basis for our business development, only the website security, customers will use rest assured.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.