当企业发生web应用发生网络异常、可能存在web攻击的时候,需要排查分析web服务器和相关web日志,确认web应用是否被黑客攻击了,攻击类型有哪些类型、攻击IP是多少、是否可能被植入webshell、甚至控制系统等一系列溯源分析。
如果无法提取web日志到本地或者上传到日志分析系统,只能手工检测。可以提供以下方法
根据web攻击特征,检索分析日志是否包含攻击特征,如果检索结果里面包含攻击日志,证明web正在遭受攻击。
grep -E -i "select|%20and%201=1|%20and%201=2|exec|%27exec| information_schema.tables|information_schema.tables|where%20|union|%2ctable_name%20|cmdshell|%20table_schema" /www/logs/access.2020-07-09.log
grep -E -i " (S)%3C(S+)%3E|(S)%3C(S+)%2F%3E|(S+)<(S+)>|(S+)<(S+)/>|onerror|onmouse|expression|alert|document.|prompt()" /www/logs/access.2020-07-09.log
grep -E -i "*.zip|*.rar|*.mdb|*.inc|*.sql|*.config|*.bak|/*login.inc.php|*.svn|/*mysql/|config.inc.php|*.bak|wwwroot|网站备份|/gf_admin/|/DataBackup/|/*Web.config|/web.config|/1.txt|/test.txt" /www/logs/access.2020-07-09.log
grep -E -i "ping%20-c%20|ls%20|cat%20|%20pwd|net user"
/www/logs/access.2020-07-09.log
grep -E -i "struts|jmx-console|ajax_membergroup.php|iis.txt|phpMyAdmin|getWriter|dirContext|phpmyadmin|acunetix.txt|/e/|/SouthidcEditor/|/DatePicker/" /www/logs/access.2020-07-09.log
grep -E -i "/passwd|win.ini|/my.ini|/MetaBase.xml|/ServUDaemon.ini|cmd.exe"
/www/logs/access.2020-07-09.log
grep -E -i "eval|%eval|%execute|%3binsert|%20makewebtaski|/1.asp|/1.jsp|/1.php|/1.aspx|/xiaoma.jsp|/tom.jsp|/py.jsp|/k8cmd.jsp|/k8cmd|/ver007.jsp|/ver008.jsp|/ver007|/ver008|.aar|%if" /www/logs/access.2020-07-09.log
grep -E -i "POST.*login" /www/logs/access.2020-07-09.log
grep -E -i "login.*200" /www/logs/access.2020-07-09.log
grep -E -i "login" /www/logs/access.2020-07-09.log | grep -E -i "POST" | grep -E -i "200"
利用威胁情报平台对将日志分析得到的文件或者IP进行分析。
地址:https://x.threatbook.cn/
可以对IP、域名、文件HASH(MD5/SHA1/SHA256)、邮箱、文件、URL进行威胁情报分析。
利用威胁情报平台对将日志分析得到的文件或者IP进行分析。
地址:https://ti.qianxin.com/
可以对域名、IP、邮箱、文件HASH(MD5/SHA1)、证书指纹(SHA1)或其他字符串、文件进行威胁情报分析。
grep -E -i 'Googlebot|Baiduspider' /www/logs/access.2020-07-09.log | awk '{ print $1 }' | sort | uniq
grep '23/May/2019' /www/logs/access.2020-07-09.log | awk '{print $1}' | awk -F'.' '{print $1"."$2"."$3"."$4}' | sort | uniq -c | sort -r -n | head -n 10
cat /www/logs/access.2020-07-09.log | awk '{print $1}' | awk -F'.' '{print $1"."$2"."$3".0"}' | sort | uniq -c | sort -r -n | head -n 200
cat /www/logs/access.2020-07-09.log |awk '{print $2}'|sort|uniq -c|sort -rn|more
cat /www/logs/access.2020-07-09.log |awk '{print $9}'|sort|uniq -c|sort -rn|more
cat /www/logs/access.2020-07-09.log |awk '{print $7}'|sort|uniq -c|sort -rn|more
cat /www/logs/access.2020-07-09.log | awk '{print $7}' | egrep '\?|&' | sort | uniq -c | sort - rn | more
cat /www/logs/access.2020-07-09.log |awk '{sum[$7]+=$10}END{for(i in sum){print sum[i],i}}'|sort -rn|more
grep ' 200 ' /www/logs/access.2020-07-09.log |awk '{sum[$7]+=$10}END{for(i in sum){print sum[i],i}}'|sort -rn|more