Shulou(Shulou.com)05/31 Report--

This article focuses on "how to capture attacks by Linux". Friends who are interested may wish to take a look. The method introduced in this paper is simple, fast and practical. Let's let the editor take you to learn "how to capture attacks by Linux".

Capture attack events under Linux

In the process of daily log analysis and forensics, by mastering the basic forensics techniques, you can cache the ways and methods of locating attackers. Here are some command techniques for capturing attack features:

1 capture the characteristics of all kinds of web leak scanning tools

Several commonly used missing scan references are as follows: egrep-i--color=auto "AppScan | acunetix | Netsparker | WebCruiser | owasp | ZAP | vega | Nikto | nikto | w3af" / usr/local/nginx/logs/access_bwapp.log

2 capture SQL injection feature

The commonly used sql keywords are as follows:

Union,select,and,insert,information_schema,or,xor,like,orderby,null,sleep...

The command reference is as follows: egrep-I-- color=auto "union (. *) select | select (. *) from" / usr/local/nginx/logs/access_bwapp.log

3 capture all kinds of typical code or command execution characteristics

Refer to the following eval,assert,system,passthru... :

The command reference is as follows: egrep-I-- color=auto "system\ (. *\) | eval\ (. *\)" / usr/local/nginx/logs/access_bwapp.log

4 capture all kinds of typical webshell file naming features

For example, the most common spy series:

B374k force r57pr c99pr c100je Kacakjee Zehir4 pr. Zhir4pr. Webadminpr. Tennc has a warehouse that collects webshell. You can go there, extract all the webshell features, and put them in your own rules:

Egrep-I-color=auto "R57 | C99 | C100 | b374k | aspxspy | phpspy | aspxspy | wso" / usr/local/nginx/logs/access_bwapp.log

5 capture all kinds of sensitive code command execution, file operation class parameter characteristics

For example, php?cmd=, php?filemanager=, php?upload=. .. parameters in webshell are generally passed in the same way. For more information, please see:

Egrep-I-color=auto "php\? cmd= | php\? code= | php\? exec=" / usr/local/nginx/logs/access_bwapp.log

6 capture file contains, file read, arbitrary file download, email,xpath,ldap injection. Equal loophole parameter characteristics

There is usually a path separator in such a url, such as.. /. Reference is as follows: egrep-i-- color=auto "php\? file= | php\? page= | php\? include= |\.\ / | php?\.\. /" / usr/local/nginx/logs/access_bwapp.log

7 capture the parameter characteristics of xss vulnerability

Since it's xss, just find a way to filter the js code. References are as follows: egrep-I-color=auto "(. *) | alert\ (. *\)" / usr/local/nginx/logs/access_bwapp.log

8 frequent IP for fast lock requests

Find the corresponding records of ip to see what they are doing, and then extract and analyze them. Reference is as follows: awk'{print $1}'/ usr/local/nginx/logs/access_bwapp.log | sort-n | uniq-c | sort-rn | head-N100

9 capture a simple sentence Trojan horse

Collect all kinds of sensitive webshell data characteristics initiated by various typical http management tools, specific targeted regularities, you may need to grab the package and take a good look at the various request parameters, such as kitchen knife, Altman,weevely … Simply check and kill all kinds of webshell features under the website directory by hand, egrep,find,sed,awk,sort,findstr. In a word, quickly locate the simple webshell in the website directory, refer to the following:

Find / usr/local/nginx/html/-type f | xargs egrep "eval | system"

At this point, I believe you have a deeper understanding of "how to capture attacks by Linux". You might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.