In the past few attempts to get a honeypot, the hacker's method of hacking into the website is to collect 0-day data. This time I decided to come to a great god. I won't talk about the day. It's about dz. I guess I'm still analyzing it when I write this article. 0x1: What is an ibl log? As far as I know, there are two types of IIS log file formats: one is ibl, the former is what we usually encounter with tools for analysis. The latter is the binary file format that needs to be converted using tools. The latter has the advantage of consuming less space, when there are many sites with a particularly high access volume every day, we can reduce our usage of storage space. 0x2: When will the log format be converted to ibl by default when we first set up iis services, and when will the log format be converted to ibl inadvertently? Here, I used to write logs in the log format. Later I checked the iis extension service before, once installed, the installation package for automatic configuration of PHP5.2.17 will convert our default log format to ibl, And the iis logs for off-star virtual hosts are also the same. 0x3: iis log format conversion 1. find the file address: In system32 \ metabase. xml file 2. open this file in notepad and find the CentralBinaryLoggingEnabled field. if this field is TRUE, it should be changed to FALSE, 3. iisreset restart IIS 0x4: Log Parser 2.2 is the tool used for ibl format Log file conversion. You can download it here. http://www.xinyues.org/thread-965-1-1.html Always install it by default. Next, convert the specified ibl file to a log file. First, find the iis identifier of the corresponding website. Here, 986744415 is the identifier of the website. Command: 1 C: \ Program Files \ Log Parser 2.2> logparser "select * into log1.txt from C: \ IISLog Files \ W3SVC \ ra130524.ibl where siteid = 986744415" means to set the identifier to C in the 986744415 path: \ IISLog Files \ W3SVC \ ra130524.ibl all content is converted to "log" format and saved to the current directory. We can compare the size of the two Files to see that the benefits of ibl Files occupy less space. half. The content format shown in the file content is different from that stored in the original log format. Therefore, the analysis of iis log behavior analysis tools on the Internet fails. 0x4: Write tool analysis iis log behavior analysis tool principle: import the file to search for the feature string and then analyze it. Complex log analysis tools are also based on this principle. As a half-hanging php rookie script, of course, it is difficult to make up. Paste code 01 <? Php 02 export a1_file('log1.txt '); 03 $ B = "fuck2.txt"; 04 foreach ($ a as $ key => $ vale) {05 if (strpos ($ vale, '27. 202.82.212 ') & strpos ($ vale, 'post') {06 fwrite (fopen ($ B, 'a +'), $ vale. '\ n'); 07} 08 09} 10 11?> Check whether the query is simple. Search for two strings. Here we will check the data of the action with the ip address 27.202.82.212 request as post. You can also add multiple conditions! Because the requirements are different, I will basically be finished. Next, let's see what this ip address has done at a certain time.
-------- I'm cutover ------- 0x5: so far, this is the process from ignorance to familiarity with ibl logs to analysis.