1. Preface
Generally, when security services are working on projects, they often encounter work that requires emergency response. The so-called emergency response means that when an abnormality occurs on a website, it performs traceability analysis based on relevant issues, discovers problems, and solves them.
2. Network security abnormal characteristics
Here is a summary of some characteristics of network security anomalies. They are not necessarily standard. Specific characteristics sometimes need to be analyzed for different Trojans or environments.
Host security: CPU memory full load, server restart, exception log, etc. Website security: web page hanging horse, black link, webshell, file tampering, etc. Traffic security: network congestion, abnormal traffic, etc. Data security: data leakage, data tampering, etc. File security: file loss, file tampering, file encryption, file locked, etc. Equipment alarms: firewall alarms, anti-virus software alarms, situational awareness, IPS alarms, etc.
3. Emergency response process
Emergency response is divided into six stages:
Preparation–Detection–Containment–Eradication–Recovery– TrackingBut in real emergency response, it is usually difficult to follow this process for emergency response. It is often based on specific analysis and processing based on the problem. For example, according to this process, the second stage is to determine whether the event is still running. If anyone really prepares, the first thing they should do is unplug the network cable.
3.1. Stage analysis
Arrange what needs to be done according to different stages.
Preparation phase: Analyze asset risks, establish a management team, risk reinforcement, guarantee resource reserves, and technical support resource libraries
Detection phase: daily operation and maintenance monitoring, event judgment, and event reporting
Event level determination: general events, major events, major events, particularly major events Event types: Malicious program events, network attack events, Web attack events, business security events Malicious program events include: computer virus events, Trojan horse events, ransomware, worm events, botnet programs, mining programs, etc. Network attacks include: denial of service attacks, vulnerability attacks, phishing incidents, backdoor attacks, network scanning and eavesdropping incidents, and interference incidents. WEB attack events include: WebShell, web page Trojan events, web page tampering events, web page hidden link events Business security incidents include: wool harvesting incidents, data leakage incidents, and permission leakage incidents.
Containment Phase: Control the spread of events, containment effects, and containment monitoring
Control the spread of events: 1) Take effective measures to prevent further expansion of the incident. 2) Minimize negative impacts as much as possible. Containment effect: 1) Adopt conventional technical means to deal with emergencies. 2) Try to quickly repair the system to eliminate the impact of emergency events. Containment monitoring: 1) Confirm whether the current suppression methods are effective. 2) Analyze the causes of emergency incidents and provide solutions for the eradication stage.
Eradication recovery phase: Activation of emergency plans, eradication monitoring, and continuous monitoring
Activate emergency plan: 1) Coordinate the personnel of various emergency response teams to be in place 2) Start relevant plans based on emergency scenarios Eradication monitoring: 1) Confirm whether the disposal is effective based on the implementation of the emergency plan 2) Try to restore the normal operation of the information system Continuous monitoring: 1) Continue to monitor the emergency event after the emergency response is successful 2) Confirm that the emergency incident has been eradicated 3) Information system operation returns to normal conditions
Tracking phase: emergency response report, emergency incident investigation, emergency response summary
Emergency response report: 1) The emergency response implementation team reports on the handling of emergency incidents 2) The emergency response leading group issues instructions to end the emergency response Emergency incident investigation: 1) Investigate the causes of emergency incidents 2) Assess the damage caused by emergency events to information systems 3) Assess the impact of emergency events on units and organizations Emergency response summary: 1) Reinforce and rectify existing risk points 2) Evaluate the implementation of emergency plans and follow-up improvement plans 3) Evaluate members of the emergency response organization and commend those who have performed meritorious services
3.2. Event classification
Probably categorizes events, not accurately.
Cyber attack incident:
Security scanning attack: Hackers use scanners to detect vulnerabilities in targets, and after discovering vulnerabilities, they further exploit the vulnerabilities to carry out attacks. Brute force cracking attack: brute force cracking of the target system account and password to obtain backend administrator privileges System vulnerability attack: Attack by exploiting vulnerabilities in operating systems and application systems WEB vulnerability attack: Attack through various WEB vulnerabilities such as SQL injection vulnerability, upload vulnerability, XSS vulnerability, authorization bypass, etc. Denial of service attack: Attack the target through high-traffic DDOS or CC, making the target server unable to provide normal services Other cyber attacks
Malicious program events:
Main types and harms of malicious programs: Viruses and worms: causing system slowness, data damage, and abnormal operation Remote control Trojan: The host is remotely controlled by hackers Botnet program: The host launches DDOS attacks and scanning attacks (broiler behavior) Mining program: causing massive consumption of system resources
WEB malicious code:
Common types and harms of website malicious code: Webshell backdoor: Hackers control the host through Webshell Web page malware: The page is implanted with virus-like content, affecting the safety of visitors. Web page dark links: websites are implanted with malicious links, games and other advertising content
Information destruction incident:
The system configuration has been tampered with: abnormal services, processes, startup items, accounts, etc. appear in the system Database content tampering: Business data has been maliciously tampered with, causing business abnormalities and losses. Website content tampering incident: Website page content was maliciously tampered with by hackers Information data leakage incident: server data and member accounts were stolen and leaked
Other incidents of sabotage:
The account was logged in abnormally: the system account was logged in from a different place, and the account password may be leaked. Abnormal network connection: The server initiates abnormal external access, connecting to the Trojan master, mining pool, virus server, etc.
3.3. On-site disposal
Many times during the real processing process, Party A or relevant management personnel have often removed the equipment from the shelves before processing. At this time, what we usually need to do is to understand the time, place, and person when the event was sent. elements. That is to say, first obtain relevant event information, and then prepare relevant tools.
For example, if the host is remotely controlled, then most of what you consider is whether it has been planted with Trojans or memory horses, etc. Then what is the use of using a ransomware decryption tool, so you must determine the relevant events before doing the related work. preparation.
The approximate process is (not necessarily, each security manufacturer or company has different understandings and ideas):
Preparation phase: Obtain relevant event information and prepare related tools for the event. Protection stage: disconnection from the Internet (as mentioned before, many owners have already disconnected from the Internet in advance), backup data files, physical isolation, active and standby switching (some companies will have active and standby situations). Detection phase: event analysis. Evidence collection stage: determine the attack event, determine the attack time, determine the attack process, and determine the attack object. Disposal stage: Recurrence of security issues, raise security issues, provide solutions (patch, install anti-virus software, open firewall, etc.), business recovery Summary phase: issue incident report.
3.4. Log storage
In the analysis of events, logs can often provide great help in the processing process. Of course, this is also based on the premise that the attacker has not deleted the logs and is based on the data stored in different middleware, databases, systems, etc. The locations are often different, so you can consult relevant personnel here or search the service yourself. However, the specific service path is not provided here. You can roughly know it by searching on Baidu.
4. Event analysis
Here are several events classified according to the events. The following environments are all in ideal conditions. In actual processing, a lot of content may need to be analyzed. Here are just some basic analysis processes for reference only.
4.1. Time-based emergency response
The time-based emergency response here means that users can accurately or roughly provide the time when an exception occurs, and according to this idea, the incident can be solved faster! On this basis, you need to know the structure of the website in advance, such as what database, middleware, system, etc. are used… Then query the corresponding log storage location, and use the time by querying whether there are some attack records in the corresponding logs. , such as obtaining IP address, abnormal traffic, UA header, access method, request file, status code, etc…
4.1.1. Background status
The time-related emergency response is to determine the relevant information of the attacker based on viewing logs.
4.1.2. View website
This is a very normal website. Here we are going to perform a directory scan on this website.
4.1.3. Generate records
After scanning this website, we did scan some content, but we are just testing here, not actually scanning it. We just want to keep access records on the website for subsequent analysis.
Similarly, sqlmap is used here to also generate records.
4.1.4. Emergency response
We are not doing complicated testing here. Suppose there is an attack. Party A personnel quickly discovered this type of attack. Here we also said that we are judging based on the concept of time, so basically we must check it. log.
Here we assume that we know through the user that the log appeared on October 25th, then here we will search and view based on this log. Under normal circumstances, it is basically unlikely that a large number of access logs will appear on one page if we access it normally. , it often takes a few seconds to wait for the next operation. If you look at the log below, it is obviously caused by concurrency within a period of time.
At the same time, based on the following logs, you can also see that get requests many directories. Logs like this are obviously directory scanning, and the following post requests, when people usually access the page, are basically get requests. Request, post request will only appear when logging in, and there are many post requests here, and one of the most conspicuous UA headers is sqlmap, then it will be scanned by the tool, and the subsequent status code is still 200…
Based on the above analysis, we can determine the attack behavior, attacker IP address, attack event, and attack target. Now that the three elements are complete, the rest is to trace the source of the IP. This is another topic.
The follow-up step is to ask Party A’s relevant personnel to repair the website program.
4.2. Vulnerability-based emergency response
The so-called vulnerability-based emergency response means that when Party A discovers that the website has been tampered with or abnormal, Party A does not know the specific attack time, and at the same time, this website is usually visited by a large number of people, which will result in the logs It is more troublesome to search. For example, it is okay to have a few thousand logs, but how can you check tens of thousands or millions of logs one by one.
At this time, you need to use the red team’s ideas. For example, think about how to attack this website and gain permissions if you are the red team.
4.2.1. Background status
Regarding vulnerability emergency response, when there are too many logs that cannot be filtered every day, or the logs are lost and the attacker cannot be traced, the problem can only be solved first. Then the vulnerability can be repaired based on the red team’s ideas, and then the vulnerability can be repaired first. Search for keywords in the logs to troubleshoot, or fix the vulnerabilities first.
4.2.2. View website
After checking the website here, I found that it is a joomla content management system version 3.2.45. So assuming that this website is attacked, how did the attacker launch an attack on this website? In fact, the simplest way is to look at this Whether the platform and version exist nday.
4.2.3. Find nday
Through website search, we found that joomla3.2.45 has a remote code execution vulnerability. Here we used a tool to upload a Trojan.
The public EXP is used here for remote command execution. Of course, this is a bit unprofessional here, but it is mainly to understand a process. Since I do not have the python2.0 version installed here, the exp used will not be recorded in the log.
Here we will have a general understanding.
4.2.4. Emergency response
Also based on the above-mentioned how to query the attacker’s logs among thousands of logs or tens of thousands of logs, here we have previously used the red team’s ideas to reproduce this attack process, and we simulated The sorting process relies on remote code execution, so can you check the common code execution commands in the logs?
The reason why I did not execute it successfully is because there is a problem with my exp, so I will assume that I search for the 200 status code as an example. If my exp here is executed successfully, then should I search for cmd or ls or What about some other parameters? ? ? ?
4.3. Backdoor-based emergency response
Based on the backdoor emergency response, there is no idea at all, but the backdoor is detected through Trojan killing, and then the log is searched based on this backdoor, and the attacker’s attack method is restored at the same time, and then the relevant vulnerabilities are repaired based on the attack method.
4.3.1. Background status
At the same time, when you are at a loss and do not have any information about time, place, person, etc., emergency responders need to think in time about what services the website is built on and what vulnerabilities may appear. Based on backdoors, that is to say, it can First check and kill the webshell, and then check whether there are access records in the log according to the path.
4.3.2. View website
You can see that this is a default Tomact page, and there is a weak password in this place. If you guess it correctly, you can upload files to it.
4.3.3. Creating Trojans
Here we use Godzilla to generate a Trojan, and then upload the Trojan.
We have uploaded it here.
4.3.4. Test link
You can see that we can connect normally here.
4.3.5. Emergency response
Here we can test the emergency response. First of all, according to the previous idea, there are too many logs for us to analyze, but we can judge through the backdoor Trojan.
Here we use Hippo webshell to check and kill the Trojan, and it is Godzilla’s Trojan. Then we also get the path of the Trojan. Here we can check whether anyone has visited the path in the log.
By checking the logs, we found that there is indeed an access record, and we also obtained the attacker’s IP.
5. WEB Scanning-Conventional Backdoors & Memory Horses
Here we mainly learn how to detect and kill conventional backdoors and memory malware. Some professional manufacturers will have their own detection and killing tools. For us ordinary people, we can use the following tools to detect and kill them in daily emergency response. .
Of course, many of them are online killings, and the killing here usually requires uploading files. If it is a single file killing, it is not bad. If it is a whole folder killing, then the best way is to deploy locally, and Local deployment is some anti-virus software, or using Hippo or D-shield are good choices.
1. Ali subdued the demon https://ti.aliyun.com/#/webshell 2. Baidu WEBDIR + https://scanner.baidu.com/#/pages/intro 3. Hippopotamus https://n.shellpub.com/ 4. CloudWalker (Muyun) https://stack.chaitin.com/security-challenge/webshell 5. Online webshell checking-extreme edition http://tools.bugscaner.com/killwebshell/ 6. WebShell Detector WebShell scanning detector http://www.shelldetector.com/ 7. D shield http://www.d99net.net 8. Micro steps https://threatbook.cn/next/product/sandbox 9. Various types of antivirus Tinder, Butler, X60, Defender, Nod32, etc.
5.1. Memory horse scanning
Memory horse is the most common attack method in fileless webshell. As the intensity of attack and defense drills becomes higher and higher, professional security equipment such as traffic analysis and EDR are widely used by blue parties. Traditional file uploading webshll and file forms The backdoor is easy to detect, the file shell is obviously exhausted, and the memory horse is becoming more and more popular due to its concealment and other advantages.
After a Web request is initiated by the client, each independent component of the middleware such as Listener, Filter, Servlet and other components will perform operations such as monitoring, judgment, and filtering during the request process. The memory horse uses the request process to modify the memory in the memory. Existing components or dynamically register a new component and insert malicious shellcode to achieve the purpose of persistent control of the server. Memory Horse can access the vulnerable URL and add command execution parameters to allow the server to return results. It can also remotely connect to the target through webshell management tools such as Ant Sword, Ice Scorpion, Godzilla, etc. to attack the target.
At the same time, there are many types of memory horses, and memory horses are currently relatively difficult to detect. Without the use of professional tools or tools, it is still difficult to detect by relying solely on manual analysis.
And memory horse checking tools, currently many are developed by individuals to detect a certain language, and rarely make a collection.
5.2. Ending
Regarding the memory horse, I originally wanted to demonstrate it, but there seems to be some problems in the local environment. At the same time, the online memory horse detection tool seems to have problems after loading. I will not write how to detect and kill the memory horse here for the time being. We will summarize it later.