Windows2000 log files typically have application logs, security logs, system logs, DNS server logs, FTP logs, WWW logs, etc., which may be different depending on the service enabled by the server. When we use a stream light detection, for example, IPC detection will quickly record the username, time, etc. used in the safety log, and after the FTP detection will be used, it will immediately record IP in the FTP log. Time, the username and password used to detect, and so on. Even when the moving is started, you need a msvcp60.dll this dynasty link library. If the server doesn't have this file, it will be recorded in the log. Why don't you take the reason for the domestic host, they will be easy after your IP will be easy. Find you, as long as he wants to find you! ! There is also an important log, and you should know that Srv.exe that is often used is to start through this service, which records all behaviors that are started by the Scheduler service, such as the startup and stop of the service. Log file default location: Application log, security log, system log, DNS log default location:% sys temroot% / sys tem32 / config, default file size 512KB, administrator changes this default size. Safety log file:% sys temroot% / sys tem32 / config / selfvent.evt system log file:% sys temroot% / sys tem32 / config / sysevent.evt application log file:% sys temroot% / sys tem32 / config / APPEVENT .Evtinternet information FTP log default location:% sys temroot% / sys tem32 / logfiles / msftpsvc1 /, default daily log internet information service WWW log default location:% sys temroot% / sys tem32 / logfiles / w3svc1 /, default a day Log SCHEDULER Service Log Default Location:% Sys Temroot% / Schedlgu.txt The key to log in the registration table: Applications log, security log, system log, DNS server log, these log files in the registration table: HKEY_LOCAL_MACHINE / SYS TEM / CURRENTCONTROLSET / Services / EventLog Some administrators are likely to locate these logs. There are many sub-tables below EventLog, which can find the location directory of the above logs.
Schedluler service log In the registry hkey_local_machine / software / microsoft / scheduingagentftp and www log detailed: FTP log and WWW log default, generate a log file daily, including all records of the day, the file name is usually EX (year) (year) Monthly) (date), such as EX001023, is the log generated on October 23, 2000. You can open it directly with notepad, as in the following example: #software: Microsoft Internet Information Services 5.0 (Microsoft IIS5.0) #Version: 1.0 ( Version 1.0) #date: 20001023 0315 (Service Start Date) #fields: Time Cip Csmeth Csuristem Scstatus0315 127.0.0.1 [1] User Administator 331 (IP address is 127.0.0.1 User named administator tried to log in) 0318 127.0.1 [ 1] Pass - 530 (Login Failed) 032: 04 127.0.0.1 [1] User NT 331 (IP address is 127.0.0.1 User named NT user attempt to log in) 032: 06 127.0.0.1 [1] Pass - 530 ( Login failed) 032: 09 127.0.0.1 [1] User CYZ 331 (IP address 127.0.0.1 User named CYZ) Trial login) 0322 127.0.0.1 [1] Pass - 530 (failure) 0322 127.0.1 [ 1] User Administrator 331 (IP address is 127.0.0.1 User named Administrator tried to log in) 0324 127.0.0.1 [1] Pass - 230 (Sign in success) 0321 127.0.1 [1] MKD NT 550 (new directory failed) 0325 127.0 .0.1 [1] Quit - 550 (exiting the FTP program) From the log, you can see the IP address of 127.0.0.1 has been trying to log in to the system, change the four user names and passwords, and the administrator can know immediately. Administrator's intrusion time, IP address, and probe username, if the above-mentioned intruder is ultimately entered with the Administrator username, then consider replacing the password of this username, or rename the Administrator user.
WWW log WWW service is the same as FTP services, the resulting log is also in% sys temroot% / sys tem32 / logfiles / w3svc1 directory, the default is a log file per day, below is a typical WWW log file #software: Microsoft Internet Information Services 5.0 # Version: 1.0 # Date: 20001023 03: 091 # Fields: date time cip csusername sip sport csmethod csuristem csuriquery scstatus cs (UserAgent) 20001023 03: 091 192.168.1.26 192.168.1.37 80 GET /iisstart.asp 200 Mozilla / 4.0 (Compatible; MSIE 5.0; Windows 98; DiGext) 20001023 03: 094 192.168.1.26 192.168.1.37 80 Get /PageRror.gif 200 Mozilla / 4.0 (Compatible; MSIE 5.0; Windows 98; DiGext) By analyzing the sixth line, you can see October 23, 2000, users of the IP address of 192.168.1.26, by accessing the IISStart.asp, this is an IISStart.asp, this The user's browser is compatible; msie 5.0; Windows 98 DiGext, experienced administrators can determine the intruder's IP address and intrusion times through the security log, the FTP log, and WWW log. Even the FTP and WWW logs are deleted, but it will still be recorded in the system log and the security log, but better is that only your machine name is displayed, and there is no IP, such as the above detection, the system The log will produce the following record: At a glance, you can see October 23, 16:17, and the system has a warning of some events, double-click, open its properties: The reason for the cause of the warning It is because some people try to log in with the Administator username, an error, the source is FTP service. At the same time, the security record will be written simultaneously: (eKIN: This picture is not the security log of this example) You can see two icons in the figure: the key (indicated success) and lock (indicating what when the user is doing The system is stopped). Connected four lock icons, indicating four failed audits, the event type is the account login and login, the logout failed, the date is October 18, 2000, the time is 1002, which requires key observation. Double-point first failed audit event, that is, the detailed description of this event is obtained, as shown in Figure 12: Analysis, we can know that there is a CYZ workstation, with the Administator user name, but because of the username Unknown or password errors (actually password errors) failed to succeed.
In addition, there is a DNS server log, not too important, this is slightly (in fact, I have not seen it) I know the details of the Windows2000 log, let's learn how to delete these logs: By above, I know that the log file usually has some The item is protected in the background, in addition to the system log, security log, application log, etc., their services are the critical process of WindOS2000, and with the registry file in one, when the Windows2000 is started, start the service to protect these files, so very It is difficult to delete, and the FTP log and the WWW log, and the SCEDLGU log can be easily deleted. First get one of the Admnistrator password or member of the Administrators group, then telnet to the remote host, let's try to delete the FTP log: D: / server> Del Schedlgu.txtd: /server/schedlgu.txt process cannot access the file, because another The program is using this file. Said, the background has service protection, first stop the service! D: / Server> Net Stop "Task Scheduler" The following services depends on the Task Scheduler service. Stop Task Scheduler services will also stop these services. Does REMOTE STORAGE ENGINE Continue this? (Y / N) [N]: YREMOTE Storage Engine service is stopping ... The Remote Storage Engine service has been successfully stopped. The Task Scheduler service is stopping the .task Scheduler service has been successfully stopped. OK, its service stopped, but also stopped with its dependencies. Try to delete it again! D: / server> Del Schedlgu.txtd: / server> No reaction? Success! The next is the FTP log and the WWW log, the principle is the same, stop the relevant service first, then delete the log! D: / server / sys tem32 / logfiles / msftpsvc1> del ex * .logd: / server / sys tem32 / logfiles / msftpsvc1> The above operation successfully deleted the FTP log! Come on the WWW log! D: / server / sys tem32 / logfiles / w3svc1> del ex * .logd: / server / sys tem32 / logfiles / w3svc1> ok! Congratulations, now a simple log has been successfully deleted. Here is a difficult security log and system log, guarding these logs is Event log, trying to stop it! D: / Server / Sys Tem32 / Logfiles / W3SVC1> Net Stop EventLog This service cannot accept the "Pause" or "Stop" operation of the request. Kao, I service U, no way, it is a key service.
If you do not need a third-party tool, you don't delete the security log and system log at all on the command line! So, it is still necessary to use a simple but speed slow crash. Open "Event Viewer" in the "Management Tool" of "Control Panel" (98 is not, know the benefits of Win2K), "Operation" in the menu The item has a menu named "Connect to another computer", click on it as shown below: Enter the IP of the remote computer, then click on the smoke, wait for dozens of minutes, endure the torture of the crash, then open the picture below : Select the security log of the remote computer, right-click the properties: Click the "Clear Log" button in the properties, OK! The safety log is clear! The same endurance pain to clear the system log! At present, the FTP can be removed quickly and smoothly, and the WWW also has a SCHEDLGU log. It is the system log and security log belong to the strict guardian of Windows2000. It can only be opened with local event viewers. Because in the graphical interface, add the network speed and slow, if your silver is more, time is idle, or you can clear it. In summary, the Windows2000 log file and the delete method are introduced, but you must be administrator, pay attention to a member of the administrator or management group to open the security logging. This process applies to Windows 2000 Professional Computers, which also applies to Windows 2000 Server computers running as a standalone server or member server. At this point, the Windows2000 security knowledge base lecture is completed, and there are a few words to say, everyone also looks out, although the FTP and other logs can be cleared, but the system logs and security logs are not so fast, so they can delete it smoothly. If you encounter a clever administrator, transfer the log file to another, it is even more difficult, so advise everyone, don't take the domestic host to do test, the domestic law is very strict! When I was eating today, I heard that there were two people to joking, and one person hide another person's East Tie, the result is an urgent, reported, so that the Tibetan is sentenced to four years! ! The judge said that the law did not joke! ! ! So everyone must keep this! (Don't say that my old life is often talking) If you have anything else, please ask questions in the Light and Shadow Forum! Thank you! Two icons can be seen in the above figure: Key (indicated success) and lock (indicating that the user stops when the user is doing). Connected four lock icons, indicating four failed audits, the event type is the account login and login, the logout failed, the date is October 18, 2000, the time is 1002, which requires key observation. Double-point first failed audit event, that is, the detailed description of this event is obtained, as shown in Figure 12: Analysis, we can know that there is a CYZ workstation, with the Administator user name, but because of the username Unknown or password errors (actually password errors) failed to succeed.
In addition, there is a DNS server log, not too important, this is slightly (in fact, I have not seen it) I know the details of the Windows2000 log, let's learn how to delete these logs: By above, I know that the log file usually has some The item is protected in the background, in addition to the system log, security log, application log, etc., their services are the critical process of WindOS2000, and with the registry file in one, when the Windows2000 is started, start the service to protect these files, so very It is difficult to delete, and the FTP log and the WWW log, and the SCEDLGU log can be easily deleted. First get one of the Admnistrator password or member of the Administrators group, then telnet to the remote host, let's try to delete the FTP log: D: / server> Del Schedlgu.txtd: /server/schedlgu.txt process cannot access the file, because another The program is using this file. Said, the background has service protection, first stop the service! D: / Server> Net Stop "Task Scheduler" The following services depends on the Task Scheduler service. Stop Task Scheduler services will also stop these services. Does REMOTE STORAGE ENGINE Continue this? (Y / N) [N]: YREMOTE Storage Engine service is stopping ... The Remote Storage Engine service has been successfully stopped. The Task Scheduler service is stopping the .task Scheduler service has been successfully stopped. OK, its service stopped, but also stopped with its dependencies. Try to delete it again! D: / server> Del Schedlgu.txtd: / server> No reaction? Success! The next is the FTP log and the WWW log, the principle is the same, stop the relevant service first, then delete the log! D: / server / sys tem32 / logfiles / msftpsvc1> del ex * .logd: / server / sys tem32 / logfiles / msftpsvc1> The above operation successfully deleted the FTP log! Come on the WWW log! D: / server / sys tem32 / logfiles / w3svc1> del ex * .logd: / server / sys tem32 / logfiles / w3svc1> ok! Congratulations, now a simple log has been successfully deleted. Here is a difficult security log and system log, guarding these logs is Event log, trying to stop it! D: / Server / Sys Tem32 / Logfiles / W3SVC1> Net Stop EventLog This service cannot accept the "Pause" or "Stop" operation of the request. Kao, I service U, no way, it is a key service.
