黑客尝试，他们试图做什么，我如何检查他们是否成功? [英] Hacking attempt, what were they trying to do and how can I check if they succeeded?

问题描述

我最近问了这个问题:尝试利用?

但是当我更多地检查日志时，我发现他们一直在做更多的事情，我觉得需要一个新问题来涵盖所有这些.

But as I checked the logs some more I found out that they've been doing some more stuff and I felt that it would need a new question to cover them all.

首先，我的日志有几万个今天的日志.每分钟肯定有几千个请求.

First of all, my log has a couple of thousant logs from today. There must've been a couple of thousand requests per minut.

问题 1:记录的 IP 是我们的主机 IP.他们怎么可能欺骗了这一点，或者黑客企图是通过受感染的计算机从他们的网络内部发起的?

Question 1: The logged IP was our hosts IP. How could they've spoofed this or did the hacking attempt come from inside their network via an infected computer?

问题 2:我记录了一个错误:

状态信息无效此页面可能已损坏.

The state information is invalid for this page and might be corrupted.

这个记录的路径是:

OurURL/?ctl00$ctl00$ctrlheadermenu$ctrlsearchbox$btnsearch=sã¶k&ctl00$ctl00$cp

此外，我在堆栈跟踪中发现了这一点:

Also, I found this in the stack trace:

输入不是有效的 Base-64 字符串，因为它包含非 Base-64字符，两个以上的填充字符或非空格填充中的字符字符.

The input is not a valid Base-64 string as it contains a non-base 64 character, more than two padding characters, or a non-white space character among the padding characters.

他们想用这个做什么?

问题 3:我还发现了对此页面的请求.他们试图在哪里列出我们的内容?

Question 3: I also found a request to this page. Where they trying to list our content?

OurURL/nessus=<!--#exec cmd="dir"-->

问题 4:还有一个请求 thirl，我发现这是一个 SQL 注入尝试.有没有办法检查他们做了什么?如果它成功了，它会做什么?

Question 4: There was also a request to thirl, which I found to be an attempted SQL-injection. Is there a way to check what they did? And what would it do if it was successful?

OurURL/webresource.axd?'%2bconvert(varchar%2c0x7b5d)%2b'=1

可能有几千个已记录的搜索和尝试过的网址不存在，但我无法在此处全部列出.

There's probably a couple of thousand logged searched and attempted urls that didn't exist but I can't list them all here.

推荐答案

答案 1:IP 地址可以被欺骗，但也有可能是受感染的内部计算机在执行此操作.

Answer 1: IP addresses can be spoofed, though it's also possible there's an infected internal computer doing this.

答案 2:如果这是一次攻击，那么攻击者似乎是在试图在您的 base64 解码器中找到漏洞.

Answer 2: It seems that if this is an attack, the attacker was trying to find vulnerabilities in your base64 decoder.

答案 3:是的，他们试图使用 dir 命令获取目录列表.

Answer 3: Yes, they were trying to get a directory listing with the dir command.

答案 4: convert(varchar,0x7b5d) 将 0x7b5d 类型转换为 varchar>.没有任何上下文，这实际上什么也做不了. 攻击者可能一直在尝试测试查询变量名称是否直接在 SQL 查询中使用，而没有进行清理.测试本身没有害处.

Answer 4: convert(varchar,0x7b5d) returns 0x7b5d type-cast to a varchar. Without any context, this doesn't really do anything. The attacker may have been trying to test if query variable names were used directly in SQL queries, without sanitisation. The test by itself does no harm.

这篇关于黑客尝试，他们试图做什么，我如何检查他们是否成功?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！