Note: This article can only be used as research and learning, and cannot be used as a reference to the destruction of others.
Windows2000 log files typically have application logs, security logs, system logs, DNS server logs, FTP logs, WWW logs, etc., which may be different depending on the service enabled by the server. When we use a stream light detection, for example, IPC detection will quickly record the username, time, etc. used in the safety log, and after the FTP detection will be used, it will immediately record IP in the FTP log. Time, the username and password used to detect, and so on. Even when the moving is started, you need a msvcp60.dll this dynasty link library. If the server doesn't have this file, it will be recorded in the log. Why don't you take the reason for the domestic host, they will be easy after your IP will be easy. Find you, as long as he wants to find you! ! There is also an important log, and you should know that Srv.exe that is often used is to start through this service, which records all behaviors that are started by the Scheduler service, such as the startup and stop of the service.
Log file default location:
Application log, security log, system log, DNS log default location:% systemroot% / system32 / config, default file size 512KB, administrator changes this default size.
Safety Log File:% SystemRoot% / System32 / Config / SECEVENT.EVT System Log File:% SystemRoot% / System32 / Config / SYSEVENT.EVT Application Log File:% SystemRoot% / System32 / Config / APPEVENT.EVT Internet Information Services FTP Log Default location:% systemroot% / system32 / logfiles / msftpsvc1 /, default daily log internet information WWW log default location:% systemroot% / system32 / logfiles / w3svc1 /, default a day a log Scheduler service log default location:% systemRoot % / SCHEDLGU.TXT or above log in the registry: Application log, security log, system log, DNS server log, these log files in the registry: hkey_local_machine / system / currentcontrolset / service / eventlog Suit Members are likely to locate these logs. There are many sub-tables below EventLog, which can find the location directory of the above logs. Schedluler Service Log in the Registry HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / SchedulingAgent
FTP and WWW log details:
FTP logs and WWW log defaults, generate a log file daily, including all records of the day, the file name is usually EX (month) (date), such as EX001023, is the log that is generated on October 23, 2000 Use notepad to open directly, as follows: #software: Microsoft Internet Information Services 5.0 (Microsoft IIS5.0) #Version: 1.0 (version 1.0) #date: 20001023 0315 (Service Start Date) #fields: Time CIP CSMethod Csuristem ScStatus 0315 127.0.0.1 [1] User Administator 331 (IP address is 127.0.0.1 User named administator tried to log in) 0318 127.0.0.1 [1] Pass - 530 (login failed) 032: 04 127.0.0.1 [1] User NT 331 (IP address is 127.0.0.1 User named NT user attempt to log in) 032: 06 127.0.0.1 [1] Pass - 530 (Login failed) 032: 09 127.0.0.1 [1] USER CYZ 331 (IP address User at 127.0.0.1 User is trying to log in) 0322 127.0.0.1 [1] Pass - 530 (login failed) 0322 127.0.1 [1] User Administrator 331 (IP address is 127.0.0.1 User named administrator tried to log in 0324 127.0.0.1 [1] Pass - 230 (Sign In Success) 0321 127.0.0.1 [1] MKD NT 550 (New Directory Failed) 0325 127.0.0.1 [1] Quit - 550 (Exit FTP Program) Enable from the log It is said that the IP address of 127.0.0.1 has been trying to log in to the system, changed four usernames and passwords, and the administrator can know the administrator's invasion time, IP address, and detection username, such as the above case invader. Eventually to enter by the Administrator username, then consider replacing the password of this username, or rename the Administrator user.
WWW log
WWW service is the same as FTP services, the resulting log is also in% systemroot% / system32 / logfiles / w3svc1 directory, the default is a log file daily, below is a typical WWW log file #software: Microsoft Internet Information Services 5.0 #Version: 1.0 #Date: 20001023 03: 091 #Fields: date time cip csusername sip sport csmethod csuristem csuriquery scstatus cs (UserAgent) 20001023 03: 091 192.168.1.26 192.168.1.37 80 GET /iisstart.asp 200 Mozilla / 4.0 (compatible; Msie 5.0; DiGext) 20001023 03: 094 192.168.1.26 192.168.1.37 80 Get /Pagerror.gif 200 Mozilla / 4.0 (Compatible; MSIE 5.0; Windows 98; DiGext) Analyze the sixth line, it can be seen that users of the IP address of 192.168.1.26 have viewed a page IISStart.asp, the user's browser by accessing the IIP address as 192.168.1.37 machine For Compatible; MSIE 5.0; Windows 98 DiGext, experienced administrators can determine the intruder's IP address and intrusion time through the security log, the FTP log, and the WWW log. Even the FTP and WWW logs are deleted, but it will still be recorded in the system log and the security log, but better is that only your machine name is displayed, and there is no IP, such as the above detection, the system The log will produce the following record: At a glance, you can see October 23, 16:17, and the system has a warning, a double click on some events, open its properties:
The reason why the warning has been recorded because some people tried to log in with the Administator username, an error, the source is an FTP service. At the same time, the security record will be written at the same time, we can see two icons: key (indicating success) and lock (indicating that the user stops when the user is doing). Connected four lock icons, indicating four failed audits, the event type is the account login and login, the logout failed, the date is October 18, 2000, the time is 1002, which requires key observation.
Double-point first failed audit event, that is, the detailed description of this event, we can know that there is a CYZ workstation, log in this machine with the Administator user, but because the username is unknown or password error (actually password error) Failed to succeed.
There is also a DNS server log, not too important, this is this (actually I have not seen it)
I know the details of the Windows2000 log. Let's learn how to delete these logs: By above, you know that the log file usually has a service in the background protection, in addition to the system log, security log, application log, etc., their services are The critical process of WindOS2000, and with the registry file in one, when Windows2000 is started, start the service to protect these files, so it is difficult to delete, and the FTP log and the WWW log and the SCEDLGU log can be easily deleted. First, you have to get one of the Admnistrator password or the member of the Administrators group, then Telnet to the remote host, first try to delete the FTP log: D: / server> del schedlgu.txt d: /server/schedlgu.txt process cannot access the file, because another A program is using this file. Said, the background has service protection, first stop the service! D: / Server> Net Stop "Task Scheduler" The following services depends on the Task Scheduler service. Stop Task Scheduler services will also stop these services.
Remote Storage Engine
Do you continue to do this? (Y / N) [N]: Y Remote Storage Engine service is stopping ... Remote Storage Engine service has been successfully stopped.
The Task Scheduler service is stopping. The Task Scheduler service has been successfully stopped. OK, its service stopped, but also stopped with its dependencies. Try to delete it again! D: / server> Del Schedlgu.txt d: / server> No response? Success! The next is the FTP log and the WWW log, the principle is the same, stop the relevant service first, then delete the log! D: / server / system32 / logfiles / msftpsvc1> del em * .log
D: / server / system32 / logfiles / msftpsvc1> The above operation successfully deleted the FTP log! Come on the WWW log! D: / server / system32 / logfiles / w3svc1> del em * .log
D: / server / system32 / logfiles / w3svc1> ok! Congratulations, now a simple log has been successfully deleted. Below is a difficult security log and system log, guarding these logs is Event Log, trying to stop it! D: / server / system32 / logfiles / w3svc1> Net Stop EventLog This service cannot accept the "Pause" or "Stop" operation of the request. Kao, I service U, no way, it is a key service. If you do not need a third-party tool, you don't delete the security log and system log at all on the command line! So, it is still necessary to use a simple but speed slow crash. Open "Event Viewer" in the "Management Tool" of "Control Panel" (98 is not, know the benefits of Win2K), "Operation" in the menu The item has a menu named "Connect to another computer", enter the IP of the remote computer, then click on the smoke, wait for dozens of minutes, endure the torture of the crash, select the security log of the remote computer, right click to select it Attribute:
Click the "Clear Log" button in the properties, OK! The safety log is clear! The same endurance pain to clear the system log! At present, the FTP can be removed quickly and smoothly, and the WWW also has a SCHEDLGU log. It is the system log and security log belong to the strict guardian of Windows2000. It can only be opened with local event viewers. Because in the graphical interface, add the network speed and slow, if your silver is more, time is idle, or you can clear it. In summary, the Windows2000 log file and the delete method are introduced, but you must be administrator, pay attention to a member of the administrator or management group to open the security logging. This process applies to Windows 2000 Professional Computers, which also applies to Windows 2000 Server computers running as a standalone server or member server. At this point, the Windows2000 security knowledge base lecture is completed, and there are a few words to say, everyone also looks out, although the FTP and other logs can be cleared, but the system logs and security logs are not so fast, so they can delete it smoothly. If you encounter a clever administrator, transfer the log file to another, it is even more difficult, so advise everyone, don't take the domestic host to do test. Transfer from: http://bbs.dvbbs.net/dispbbs.asp? BoardId = 18 & ID = 869294 & Page = 1 & replyid = 2168521& Skin = 1
