Please come together to protect our own, the following is some of my coarse research on the 2000 Server safety log, the purpose is to let the gimbar picked meat bag, I hope to have a master to specify the entry of my entry, how to track track
.
Today, I saw a network of online A, plot or old routine, what national security bureau, intelligence bureau, etc., there is nothing to say. After reading, I suddenly generated interest in tracking, what kind of traces are we produced in the Internet? OK, I first started a virtual attack in my machine, attacking my FTP Password Dictionary with a streamed 2001. Then I turn on the computer management tool, see the report of the system event, the guy is all yellow warnings, you will have a warning, if only one or two questions are not big, hundreds of yellow rows will be a fool. I am in the status of being attacked! Click on an item to see it's details, huh, it's okay.
"This server failed because the error login: unknown username or error password. Can't log in to Windows NT account 'administrator'. This data is an error code.
To get more information about this message, visit the Microsoft Online Support Site: http://www.microsoft.com/contentredirect.asp. "
There is no IP information yet. But suddenly I feel that there is no reason, it is impossible to have such a mentally designed design. I got the other party's IP is not a difficult thing. I don't know how to add this information. Write "MSFTPSVC1" in the source field that carefully look at the event, what is this? ? ? ! ! ! Searching it, there is a system32 / logfiles / msftpsvc1 directory. Open a look is this, there are many files in this format in this format, and the digital part should be the date. Open today's look, rely on, all in this, every landing of FTP includes the most annoying IP address. Ok, this is the security log of FTP. So where is other logs? Affirm that Logfiles is else, and it is true that the WWW service is log files below W35VC1. So I made some virtual attacks on the HTTP login method. I found that there will be a detailed record of the 401 such HTTP returns, if you see a large string 401 in the page you can, you can judge the attack, and also observe IP knows the approximate location of the attacker. However, this event does not generate warning information in the event viewer, and there is no information about the username used by the logger in the logger, which is not enough to be in place.
At the same time, I found that the information in the event viewer seems to be a summary of various information, so I have reason to believe that it must not call the log file directly. I opened the event manager's operation menu found that there is an option to open the log file. It is found that it is a .evt format file, obviously not the log file we look above, Search - Discover in / System32 / Config The directory below has three .evt files, which are Sysevent.evt advent.evt APPEvent.evt, where the app is program, SYS is a system, the sec should be safe, the use of the event viewer does not view, The information being used will appear. There is no difference between the other two opens and starts. Use Notepad to open it will find that it is not a text format, which means that it is difficult or changed. This is a bit bad, we can change the log file to rub your own footprint, and how do this? Delete? Isn't that let him know if someone invaded? It is not too big to don't have a good relationship there without IP. So do you want to let the other party find your IP, let him not know that it is a bit difficult to be invasive, please expert guidance. Finally, talk about some feelings. Although I am just a child in front of the knowledge gate, but how to say some harvest. Recalling that it is a bit behind it, don't misunderstand, I haven't blackd any homepage, I don't want to do it later, I think what interest is not doing this, and the integration of knowledge is most interesting. I am afraid that I am in many places, too much, now I want to go, I can't remember it, because there is always someone, I am afraid. So I want to give some considerations than some comrades I later.
1. Don't do experiments in China, although there are more opportunities for domestic vulnerabilities, but the risk is also big, foreign relatively safe, as long as you are fun, it is not fun, I believe it is basically a trouble. . (唉! Why didn't anyone say this at the time?)
2. Don't touch the system you are not familiar with, I have also studied some UNIX now, but I don't touch it in some basic concepts. Oh, NT has just started, and the days later.
3. If you want to make a destination, you can think of how much can crack your password, and you will be able to make it first. Because if you can go in, you can rub your own footprint. Otherwise, only look at the footprints.
4. Use the Web command line to use the agent as much as possible. This is very important, because there is a lot of risks, the premise is the purpose of knowledge. By the way, set the agent on IE to use it on IE, that is, if you use the attack software based on the attack software, you will leave your IP footprints, but don't include my unicode1.1, I don't know if there is any It is best to make multiple agents to set the agent's attack software. I hope that the master can provide information. I want to study the agent, see if I can add this function on my future software, but it is difficult because I am still very confused about the agency mechanism. By the way, ask the IE's high-level settings and FTP proxy settings, what use, how to use, where can I find their proxy servers, if I set up an FTP agent, use FTP as I like to browse WWW? Will there be an intermediate server to meet? I really hope that someone can point me, a person studying these things is really difficult, too time, if there is a group of people, it is good, everyone's research achievements share it, after all, the science is not a lonely hero . Does the Green League want people, do you recruit me? (As you are like this, don't be a refugee army - drawing outside the sound) so good!
