Shulou(Shulou.com)05/31 Report--

This article will explain in detail the example analysis of Window Incident Response Service and FTP brute force cracking. The content of the article is of high quality, so Xiaobian shares it with you for reference. I hope you will have a certain understanding of relevant knowledge after reading this article.

0x00 Preface

FTP is a file transfer protocol, users can upload or download files from client programs to remote hosts through FTP, often used for website code maintenance, daily source code backup, etc. If the attacker obtains FTP permissions through FTP anonymous access or weak passwords, he can upload the webshell directly and further infiltrate the power until he controls the entire website server. -- Channel Info White Hat id:Bypass

0x01 Emergency scenario

Since yesterday, the website response speed has become slow, the website server login is very card, restart the server can ensure a period of normal access, the website response state is sometimes fast and sometimes slow, most of the time is slow. For website server anomalies, system logs and website logs are the focus of our investigation and processing. Looking at Window security logs, we found a large number of login failures:

0x02 Log analysis

Security log analysis:

Security logs record event audit information, including user authentication (login, remote access, etc.) and what a particular user did to the system after authentication.

Open the security log, click Filter current log on the right, enter 4625 in the event ID, query the event ID4625, the number of events 177007, it can be seen from this data, the server regular suffered brute force:

Further analysis of log extraction data using Log Parser found that the attacker used a large number of user names to blast, such as user name: fxxx, a total of 17826 password attempts, the attacker based on a domain name information such as "fxxx", constructed a series of user name dictionaries for targeted blasting, as shown in the following figure:

Here we notice that login type 8, to understand what login type 8 means?

Login Type 8: Network Cleartext

This login indicates that this is a network login like Type 3, but the password for this login is transmitted in plain text over the network. Windows Server services do not allow clear text authentication to connect to shared folders or printers. As far as I know, this login type is only when logging in from an ASP script using Advapi or when a user logs in to IIS using basic authentication. Advapi will be listed in the Login Process column.

We speculate that FTP service may be available. By checking the port service and interviewing the administrator, we confirm that the server does open FTP service to the public network.

In addition, the log does not record the IP address of the brute force attack. We can use Wireshark to analyze the captured traffic and obtain the IP that is blasting:

By analyzing the administrator login logs in recent times, the following are shown:

Administrator login is normal, no abnormal login time and abnormal login ip are found. Login type 10 here represents remote management desktop login.

In addition, by looking at FTP sites, only one test file was found, which was not in the same directory as the site directory, further verifying that FTP brute force cracking was not successful.

Emergency response: 1. Close FTP port mapping of external network 2. Delete FTP test service of local server

0x03 Preventive measures

FTP brute-force cracking is still very common, how to protect the server from brute-force cracking attacks, summarized several measures:

1. It is forbidden to use FTP to transmit files. If it must be opened, it should limit the management IP address and strengthen the password security audit (the password length is not less than 8 digits, and it is composed of at least two combinations of numbers, upper and lower case letters, special characters, etc.). Change the FTP default port on the server. Deploy intrusion detection equipment to enhance security protection. About Window Incident Response Service and FTP brute-force crack example analysis shared here, I hope the above content can be of some help to everyone, you can learn more knowledge. If you think the article is good, you can share it so that more people can see it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.