"Go" automatic real-time monitoring Windows2003 server terminal login concurrent mail and text message notification

Remember the previous management of a batch of Windows Server, some open-source programs do Web sites will always be compromised. However, I would like to find out if there is any way to know whether the server was compromised. When the server landed, if the landing immediately send an email notification, feel that this problem must have been handled, so the online collected a bit. Reproduced at this point, as to where the reprint has been unable to track.

A friend a Windows server was hacked, but also was malicious deleted some data backup, to help it to do the next security reinforcement, considering that the server is managed through Windows Terminal Server, it will find a way to monitor its login, find a command line to send the message of the gadget Blat and batch processing, has done a simple monitoring program, the function is when someone through the terminal login and successful, will send to the designated mailbox login IP address.
1. Download Blat to the C-drive Blat directory first.
2. Any directory to create a new bat file, I am here Mail.bat, the content is as follows,

@echo offDate/t >mail.txt Time/t >>mail.txtnetstat-n-P tcp |Find"3389" >>mail.txt:: :::::::.:::..::..Set[Email protected]comSetUser=webshell.ccSetPass=webshell.ccSet[Email protected]comSetsubj=3389SetMail=mail.txtSetserver=smtp.126.comSet Debug=-Debug-log Blat.log-timestamp

:::::::::::::::-:--Blat::::.

C:\blat\full\blat.exe%mail%-to%to%-base64-charset gb2312-subject%subj%-server%server%-F%from%-u%user%-pw%pa ss%%debug%
Start Explorer
It's easy to find which IP is connected to the local 3389 port by using bat, and then the message is sent to the specified mailbox.
3. Go to Control Panel-Administrative Tools-Terminal Server configuration-rdp-tcp-Properties-environment-enable the following programs when a user logs on-in the program path and file name-write "C:\mail.bat"-start at-write "C: \" So it's OK.
4. Log out and log back in to see if you can receive the email. If an error occurs, the desktop does not come out, and the task manager can be called through Ctrl+alt+end to call the desktop.
5. Currently found a small bug, is logged in, will pop up a cmd box.
6. If you open the email message notification, or use 139 of the mailbox, you can achieve real-time mobile phone SMS notification, interested can try.

Of course, the script itself also has security issues. Once the server is compromised, the mailbox will not be saved.

"Go" automatic real-time monitoring Windows2003 server terminal login concurrent mail and text message notification