1 special log file
To understand the log files, it should first of all from the particularity When talking about how, say it is special because of this document by the system management and protection, under normal circumstances ordinary users could not change. We can not use the documents against ordinary TXT way to edit and edit it. For example, WPS series, Word Series, notepad, Edit, and so on, all ', it may not. We can not even conduct it "rename" or "delete", "mobile" operation, or else the system will tell you very bluntly: Access was denied. Of course, in the pure state of DOS, it can carry out some routine operations (such as Win98 state), but you will soon discover that you simply useless changes, when to restart Windows 98, the system will automatically check the special text file, if there will be an automatically generated; if exists, the text will be an additional log records.
2 Why would hackers interested in the log file
Hackers have access to the server system administrator privileges can be arbitrarily after the destruction of the documents on the system, including log files. But all this will be recorded by the system log, so hackers to hide their invasion of sightings, it is necessary to modify the log. The simplest way is to delete the system log file, but it is generally the primary by hackers, senior real hackers modified log always use the method to prevent their own tracking system administrator, there are a lot of specialized networks such function procedures, such as Zap, such as Wipe.
3. Series log system Windows Introduction
Windows 98 log files
Because the vast majority of customers are currently using the Windows 98 operating system, Windows 98, the first section of the log file When talking about how. Windows 98 users without the use of the general system log, unless there are special purpose, for example, use Windows 98 build personal Web server, will be necessary to enable the system log server security as a reference when using Windows 98 has been set up personal Web server The user can carry out the following operations to enable journaling.
(1) in the "control panel" double-click "Personal Web Server" icon; (must have been a good correlation in the distribution of the network protocol, and add "Personal Web Server" circumstances).
(2) in the "management" tab, click the "management" button;
(3) In the "Internet service administrator" page, click "WWW management";
(4) At the "WWW management" page, click "log" tab;
(5) select the "open log" box, and in accordance with the need for changes. Log files will be named as the "Inetserver_event.log." If the "log" tab do not specify the log file directory, the file would be stored in the Windows folder.
Ordinary users in the Windows 98 system folder found in the log file schedlog.txt. We can adopt the following methods to find it. In the "Start" / "Find" to find it, or to launch a "mission planning process," in the "Advanced" menu, click "Show log," to see to it. Windows 98 ordinary users log file is very simple, just recorded some pre-set tasks running, compared to the NT as a server operating system, the real hackers rarely interested in Windows 98. Therefore, under the Windows 98 log attention by the people.
2.Windows NT system log under the
Windows NT is now being attacked more operating systems, in the Windows NT, the system log file in almost every transaction will be done in a certain degree of audit. Windows NT log files are generally divided into three categories:
System log: tracking a variety of system events, records from the Windows NT system components from the incident. For example, in the loading process initiated driver error or other records of the failure of system components in the system log.
Application log: Record system by the application procedures or events, such as the application loading dll (dynamic link library) the failure of the information will appear in the log.
Security log: Record Number Internet, the network, as well as access to change the start-up and closure of such incidents as well as create, open, or delete files, and other resources related to the use of the incident. Use the "Event Manager" can be specified in the security log records needed to record the events of default security log is closed.
Windows NT system log usually placed in the following locations, according to a slight change in the different operating systems.
C: \ systemroot \ system32 \ config \ sysevent.evt
C: \ systemroot \ system32 \ config \ secevent.evt
C: \ systemroot \ system32 \ config \ appevent.evt
Windows NT uses a special storage format of its log files, the format of the document can be read with the incident Show, Event Viewer can be in the "control panel" found, the system administrator can use the Event Viewer Choice To view the log entries to check conditions include categories, users and message types.
3.Windows 2000 log system
And Windows NT, Windows 2000 using the same "Event Viewer" to manage the log system, but also the same as the system administrator need to enter the system before the operation carried out, as shown in Figure 7-1.
In Windows 2000, the type of log files more often have application logs, security logs, system log, a DNS server log, log FTP, WWW log, etc., may be opened by the server under different services and a slight change. Launched Windows 2000, the event log service will be automatically activated, and all users can view "application logs," but only the system administrator to access "safety log" and the "system log." The system default cases will be closed "security log," but we can use the "Group strategy" to enable "security logs," started recording. Once open the security log, the records will continue unrestricted, to cease operation until filled.
Windows 2000 log files by default position:
Application log, security logs, system log, log DNS default position:% systemroot% \ sys tem32 \ config, the default file size 512 KB, but the experienced system administrator often change the default size.
Security log file: c: \ sys temroot \ sys tem32 \ config \ SecEvent.EVT
System log file: c: \ sys temroot \ sys tem32 \ config \ SysEvent.EVT
Application log file: c: \ sys temroot \ sys tem32 \ config \ AppEvent.EVT
Internet Information Services FTP log default position: c: \ systemroot \ sys tem32 \ logfiles \ msftpsvc1 \.
WWW Internet Information Services default location log: c: \ systemroot \ sys tem32 \ logfiles \ w3svc1 \.
Scheduler server logs default position: c: \ systemroot \ schedlgu.txt. The log records the visitor's IP, and the visit was to request the content.
Windows2000 continuation of the NT because of the log files, and on the basis of its increased again by FTP and WWW log, the log this section of the FTP and WWW make a simple log on. FTP log in the form of text documents detailed record of the FTP-upload files of documents, source, the file name, and so on. However, because the log is too obvious, so senior hackers simply will not use this method to mass document, replaced by the use of RCP. WWW and FTP log files from the log file in the general log c: \ sys temroot \ system32 \ LogFiles \ W3SVC1 directory, the default is a daily log file,
FTP and WWW log can be deleted, but the FTP log or record of all in the system log, and log security record, if users need to delete these documents, and through some not-so-sophisticated methods, such as the first stop certain services , and the log file can be deleted. The specific methods abridged.
Windows 2000 provides a log analyzer called security (CyberSafe Log Analyst, CLA) tool, it has very strong log management function, which will enable users to log in dazzling slowly in the search for a particular record, but by Category in the way that events finishing well so that users can quickly find the required entries. It is another prominent characteristic of the entire network environment to multiple systems in a variety of activities at the same time for analysis to avoid a separate analysis of trouble.
4.Windows XP log files
Windows XP that the log files, we should first talk about the Internet Connection Firewall (ICF) log, ICF logs can be divided into two categories: one category is audited by the ICF IP data packets, and ICF is a type of IP data packets discarded . General log kept in the Windows directory under the file name is pfirewall.log. Its file format consistent with W3C extended log file format (W3C Extended Log File Format), is divided into two parts, which are the first documents (Head Information) and the main document (Body Information). Is the first major document on Pfirewall.log this document that needs attention is the main part of the main document. Documents are the main part of the record of a successful audit or ICF ICF was abandoned by the IP packet of information, including the source address to address, port, time, agreements and other information. More understanding of the information needs of the TCP / IP protocol knowledge. ICF generation security log format is used W3C extended log file format, which is commonly used in the log analysis tools used in a similar format. When we WindowsXP in the "control panel" in open view of the incident.
WindowsXP can see also in a system log, security and application log log log files are common, when you click on any one of those documents, we can see some of the log file records.
To enable the unsuccessful attempt to connect the record, select "record dropped packets" box, otherwise prohibited. In addition, we can also use tools such as dart Jinshan network software will be "security logs," are derived and be deleted.
5. Log analysis
When the log every day faithfully for the user records in the system all the time, users also need to standardize management log, but a huge log records but to enable users to panic a little perplexed at this time, we will need to use the right tools log analysis, synthesis, log analysis, we can help users from the log records obtain useful information to the different users to take the necessary measures.
6. System log deletion
Due to the different operating system, log the deletion of a slight change in methods, the paper from Windows 98 and Windows 2000 a clear distinction between the two operating systems to log on the deletion.
7. Under Windows 98 to delete the log
In a pure DOS under the computer, use some common amend or delete an order to remove Windows 98 log records. When the restart after Windows98, the system will check the existence of the log file, if it is found that the log file does not exist, the system will automatically rebuild a, but the original log file will all be eliminated.
8. Log delete Windows 2000
Windows 2000 log on much more complex than Windows 98, we know that by the system to log management, protection, under normal circumstances is the prohibition delete or modify, but it is also closely related with the registry. Windows 2000 is first necessary to delete the log system administrator privileges, and because of security log and system log must be read by the system administrator before they can be deleted.
We will target application logs, security logs, system log, a DNS server log, log FTP, WWW log deleted make a brief presentation. To delete the log file, it is necessary to stop the system log file protection. We can use a command to delete the phrase Apart from security logs and system log, the log files, but security must log on the system to use the "Event Viewer" to control it, open the "Control Panel" and "management tool" in the "Event Viewer." In the menu of "operation" of the one called "connect to another computer" menu.
Input remote computer's IP, and then to wait, choose the safety of a remote computer log, click on attributes of the "clear the log" button.
9. Found traces of invasion
When or how the intruders had attempted a systematic, timely and effective prevention is found traces of a hot topic in one of the invasion. Found traces of the pre-invasion and that is there should be an invasion of database features, we generally use the system log, firewall, check IP header (IP header) source address, Email detection and the use of the safety of Intrusion Detection System (IDS) to determine whether there are signs of the invasion.
We turn first to learn how to use the ports to determine whether there is any common sense signs of the invasion:
In the computer after installation, if it does not adjust its open port, the default is 139, if we do not open other ports, hackers under normal circumstances is unable to enter the system. If the normal system of regular virus checks, and suddenly the computer when the Internet will be a slow response, the mouse finally become Lanping, the system crashed, and various other non-normal situation, we will be able to determine the use of electronic mail hackers or other methods in the system implanted Trojan horse. At this time, we can adopt some methods to remove it, the specific method in the relevant chapters of this book available.
10. Signs of the time of the invasion
Intrusion always in accordance with certain steps in, experienced system administrator complete system can be observed to see if there anomaly to determine the extent of the invasion.
11. Scanning signs
When the system received continuous, repeated port connection request, it could mean that the invaders are using port scanners external scan of the system. Senior hackers might use secret scanning tools to evade detection, but in reality experienced by the system administrator or a variety of signs to judge all.
12. Use of attack
When the intruders use various procedures to the time of the invasion of the system, the system may report some unusual circumstances, and gives relevant documents (IDS common approach), when the invaders after the success of the invasion, the system will stay more or less of the damage and the signs of non-normal access, then it should discovery system might have happened to the invasion. |
