Bat file custom intrusion detection script for System Security

Time/t> IIS-Scan.log
Find/I "character to be searched" C:/WINDOWS/system32/LogFiles/Httperr/*. *> IIS-Scan.log
The above Bat can easily find the intrusion data in the IIS 6.0 log file. We all know that IIS on Windows 2003 Server has a dedicated "Httperr" folder dedicated to recording related errors. Of course, if you use scanning software to scan the server, it will be recorded here. The batchfile uses the find.exe command.

@ Cd/
Rem ******* Auto Scan IIS 6.0 LogFiles By www.Reistlin.com ********
Rem ******** Scaning... Please... Waiting ...********
@ Echo Off
Time/t> IIS-Scan.log
Find/I ".." C:/WINDOWS/system32/LogFiles/Httperr/*. *> IIS-Scan.log
Find/I "//" C:/WINDOWS/system32/LogFiles/Httperr/*. *> IIS-Scan.log
Find/I "//" C:/WINDOWS/system32/LogFiles/Httperr/*. *> IIS-Scan.log
Find/I "windows" C:/WINDOWS/system32/LogFiles/Httperr/*. *> IIS-Scan.log
Find/I "private" C:/WINDOWS/system32/LogFiles/Httperr/*. *> IIS-Scan.log
Find/I "printer" C:/WINDOWS/system32/LogFiles/Httperr/*. *> IIS-Scan.log
Find/I "session" C:/WINDOWS/system32/LogFiles/Httperr/*. *> IIS-Scan.log
Find/I "admin" C:/WINDOWS/system32/LogFiles/Httperr/*. *> IIS-Scan.log
Find/I "winnt" C:/WINDOWS/system32/LogFiles/Httperr/*. *> IIS-Scan.log
Find/I "null" C:/WINDOWS/system32/LogFiles/Httperr/*. *> IIS-Scan.log
Find/I "boot" C:/WINDOWS/system32/LogFiles/Httperr/*. *> IIS-Scan.log
Find/I "www" C:/WINDOWS/system32/LogFiles/Httperr/*. *> IIS-Scan.log
Find/I "asa" C:/WINDOWS/system32/LogFiles/Httperr/*. *> IIS-Scan.log
Find/I "mdb" C:/WINDOWS/system32/LogFiles/Httperr/*. *> IIS-Scan.log
Find/I "dat" C:/WINDOWS/system32/LogFiles/Httperr/*. *> IIS-Scan.log
Find/I "bat" C:/WINDOWS/system32/LogFiles/Httperr/*. *> IIS-Scan.log
Find/I "rpc" C:/WINDOWS/system32/LogFiles/Httperr/*. *> IIS-Scan.log
Find/I "bin" C:/WINDOWS/system32/LogFiles/Httperr/*. *> IIS-Scan.log
Find/I "vti" C:/WINDOWS/system32/LogFiles/Httperr/*. *> IIS-Scan.log
Find/I "doc" C:/WINDOWS/system32/LogFiles/Httperr/*. *> IIS-Scan.log
Find/I "cgi" C:/WINDOWS/system32/LogFiles/Httperr/*. *> IIS-Scan.log
Find/I "log" C:/WINDOWS/system32/LogFiles/Httperr/*. *> IIS-Scan.log
Find/I "iis" C:/WINDOWS/system32/LogFiles/Httperr/*. *> IIS-Scan.log
Find/I "ida" C:/WINDOWS/system32/LogFiles/Httperr/*. *> IIS-Scan.log
Find/I "idc" C:/WINDOWS/system32/LogFiles/Httperr/*. *> IIS-Scan.log
Find/I "idq" C:/WINDOWS/system32/LogFiles/Httperr/*. *> IIS-Scan.log
Start IIS-Scan.log
 

Time/t> Port. log
Netstat-NA-P Tcp 600> Port. log
 

The first line is to record the server time and write it into the file named IIS-Scan.Log. In the second row, the search parameter I is case-insensitive, and then enter the string you want to search for in. For example, scanning records such as ".../..." or U code testing such as "% &" often appear. "*. *" Is to query all the files in the entire directory of "Httperr" and write the search results to the IIS-Scan.log.

The following is a complete set of scripts on my own server!

In the preceding figure, run the NETSTAT-NA command to query the number of connections and the number of ports, and write the Port. log. Note that 600 means 600 seconds, that is, records every 600 seconds. Use it with caution. Because a record is recorded once every minute, the Port. log file will become larger and larger over time. We recommend that you use 6000, or 3000 seconds. You can record the data every 30 minutes.

Time/t> 3389.log
Netstat-n-p tcp | Find ": 3389"> 3389.log