Shulou(Shulou.com)06/01 Report--

Due to the lack of time, at the end of the year, many friends want to know about our Sine security for penetration testing, security detection and emergency response, and to have a comprehensive understanding and prevention of the root causes of vulnerabilities and immediate solutions to repair website vulnerabilities, so that the company can set up a more professional security department to block hackers' attacks and intrusions.

6.7.1. Common intrusion points

Web intrusion high risk service intrusion

6.7.2. Common implementation

6.7.2.1. Client monitoring

Monitoring sensitive profile Common commands ELF File Integrity Monitoring pslsof … Rootkit Monitoring Resource usage alarm memory Utilization CPU Utilization IO Utilization Network Utilization emerging process Monitoring inotify-based File Monitoring

6.7.2.2. Network detection

Detection based on attack vectors at the network level, such as Snort and so on.

6.7.2.3. Log analysis

The host system security log / operation log, network device traffic log, Web application access log, SQL application access log and other logs are centralized into a unified background, and all kinds of logs are analyzed comprehensively in the background.

Emergency response

6.8.1. Response flow

6.8.1.1. Event occurrence

Operation and maintenance monitoring personnel, customer service auditors, etc., find problems and report to them.

6.8.1.2. Event confirmation

Judge the seriousness of the incident, assess the severity of the problem, whether to report upward, etc.

6.8.1.3. Event response

All departments work together to deal with security issues, specific solution stage

6.8.1.4. Event shutdown

After dealing with the incident, it is necessary to close the event and write a safety emergency handling analysis report to complete the whole emergency process.

6.8.2. Event classification

Viruses, Trojans, worms, Web server intrusions, third party service intrusions, system intrusions, using Windows vulnerabilities to attack operating system network attacks, DDoS / ARP spoofing / DNS hijacking, etc.

6.8.3. Analysis direction

6.8.3.1. Document analysis

Based on changes in analysis date files, recently used file source code analysis to check source code changes, check WebShell and other backdoor system log analysis application log analysis User-Agent,e.g. Awvs / burpsuite / w3af / nessus / openvas for each attack keyword matching, e.g. Select/alert/eval exception requests, consecutive 404 or 500md5sum check hashes of commonly used command binaries, check whether rootkit is implanted

6.8.3.2. Process analysis

The CPU or memory resources of processes that meet the following characteristics are too high for a long time. The path of the process without signature verification information and description information is not valid. Dump system memory is analyzed.

6.8.3.3. Network analysis

Firewall configuration DNS configuration routing configuration

6.8.3.4. Configuration analysis

View Linux SE configuration, view environment variables, view matching registry information retrieval, SAM file kernel module

6.8.4. Linux emergency response

6.8.4.1. Document analysis

Recently use the file find /-ctime-2C:\ Documents and Settings\ Administrator\ RecentC:\ Documents and Settings\ Default User\ Recent%UserProfile%\ Recent Syslog analysis / var/log/ key analysis location / var/log/wtmp login, logout, data exchange, shutdown and restart records / var/run/utmp information about the currently logged-in user / var/log/lastlog file records the last login information of the user, which can be viewed by the lastlog command. / var/log/secure records files that log in to the system to access data, such as pop3/ssh/telnet/ftp, etc. / var/log/cron log information related to scheduled tasks / var/log/message system information and error logs after startup / var/log/apache2/access.logapache access log/etc/passwd user list / etc/init.d/ boot entry / etc/cron* scheduled tasks / tmp temporary directory ~ / .ssh

6.8.4.2. User analysis

/ etc/shadow password login related information uptime view user login time / etc/sudoers sudo user list

6.8.4.3. Process analysis

Netstat-ano to see if suspicious port is open w command, view users and their process analysis boot program / script / etc/init.d~/.bashrc view schedule or scheduled task crontab-lnetstat-an / lsof view process port occupancy

6.8.5. Windows emergency response

6.8.5.1. Document analysis

Recently use the file C:\ Documents and Settings\ Administrator\ RecentC:\ Documents and Settings\ Default User\ Recent%UserProfile%\ Recent to analyze the event viewer eventvwr.msc

6.8.5.2. User analysis

Check whether there are new users to check whether the server has a weak password to view the administrator corresponding to the key lusrmgr.msc view account changes net user list current login account wmic UserAccount get list all current system accounts this section focuses on intrusion detection in penetration testing and emergency response solutions. If you want to have a more in-depth understanding of the penetration testing service before the launch of the project, you can take a look at the professional website security company to deal with the solution. Domestic professional companies such as Sinesafe, Qiming Star, Green Alliance and so on are all good network security maintenance companies.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.