Pursue yesterday's footprints with the knife customer

Nearly the end of the year, white-collar workers in the city and aunts in the country began to get busy with New Year's goods. On the internet, a group of people started to get busy and "struggle" for their year-end bonuses ", that is, professional "hackers" who steal data to get a better food for themselves or find greater happiness, even Mercedes-Benz and BMW. In such an environment, my managed server receives a large number of logs. Injection of interception logs, batch scanning of interception logs, and interception logs of sensitive files are growing exponentially. IIS logs are constantly refresh, including 100 MB, 200 MB, and 1 GB, 2G ...... some websites only use logs of 10 or 100 times of their own data. Of course, this log is mainly related to network traffic.
As a server maintainer, my job is to check logs. What I want to share with you today is not any of the above logs, but the system management logs. In windows 2003, enter "eventvwr" in the "Start" menu "run" to open the Event Viewer. However, generally we open computer management, which includes the time viewer, to facilitate management, enter "compmgmt. msc or right-click my computer and select Manage to open computer management. Generally, event viewer can view four types of logs: "Applications", "internet explorer", "security", and "system ".

For "login/logout", we focus on the "application" and "system" types. "login/logout" usually happens to system users and database users, the following is an example.
For example, if I log on to the remote terminal at port 3389 as administrator, there are generally four log records, which occur at the same time.
This audit is enabled by default. If you want to modify it, you can enter gpedit in the operation. msc opens the Group Policy. In computer configuration-windows Settings-Security Settings-local policy-Audit Policy, you can view the audit of the system Logon Time.

Such logs are stored in the "Security" type.

Program code
Event Type: Audit successful
Event Source: Security
Event Type: Account Logon
Event ID: 680
Date: 2010-2-4
Event: 20:52:37
User: TAGggg-DDD3333administrator
COMPUTER: TAGggg-DDD3333
Description:
Login User: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: administrator
Source Workstation: TAGggg-DDD3333
Error code: 0x0

This log records the users who attempted to log on. For example, if you test the username and password in the login window, downloads are recorded here. If you find a record that is not a system user, so someone must have guessed your username.

Program code
Event Type: Audit successful
Event Source: Security
Event Type: logon/logout
Event ID: 552
Date: 2010-2-4
Event: 20:52:37
User: NT AUTHORITYSYSTEM
COMPUTER: TAGggg-DDD3333
Description:
Logon attempts with clear creden:
Login User:
User: TAGggg-DDD3333 $
Domain: WORKGROUP
Logon ID: (0x0, 0x3E7)
Logon GUID :-
Users who use creden:
Target User name: administrator
Target Domain: TAGggg-DDD3333
Target logon GUID :-
Target Server Name: localhost
Target Server Information: localhost
Caller process ID: 3224
Source Network Address: 142.97.167.96
Source Port: 53637

If the login is successful, it will be recorded here. If the account and password of 3389 are obtained, the ip address and method will be recorded here, which is clearly logged on using creden.

Program code
Event Type: Audit successful
Event Source: Security
Event Type: logon/logout
Event ID: 528
Date: 2010-2-4
Event: 20:52:37
User: TAGggg-DDD3333administrator
COMPUTER: TAGggg-DDD3333
Description:
Logon successful:
User name: administrator
Domain: TAGggg-DDD3333
Logon ID: (0x0, 0x3B5BA)
Logon type: 10
Logon Process: User32
Authentication packet: Negotiate
Site name: TAGggg-DDD3333
Logon GUID :-
Caller User: TAGggg-DDD3333 $
Caller domain: WORKGROUP
Caller Login ID: (0x0, 0x3E7)
Caller process ID: 3224
Transfer Service :-
Source Network Address: 142.97.167.96
Source Port: 53637

This log is the most important. It has three points that the login method is to remotely connect to the desktop, and the first place is the login Method 10, which is RemoteInteractive ), it indicates that the logon is performed through the terminal service, Remote Desktop, or remote assistance. The second is the logon process User32, which indicates that the user32.exe process is used for login. The third address is called by the caller in zookeeper. Open the task manager and you can see that the 3224process is winlogen.exe. All three points indicate that this log is a remote connection log.

Program code
Event Type: Audit successful
Event Source: Security
Event Type: logon/logout
Event ID: 576
Date: 2010-2-4
Event: 20:52:37
User: TAGggg-DDD3333administrator
COMPUTER: TAGggg-DDD3333
Description:
Special permissions assigned to new Logon:
User name:
Domain:
Logon ID: (0x0, 0x3B5BA)
Privilege: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege

This log indicates the permission granted to the login user.

Well, the above is the remote login log. The following describes mssql logon logs. I classify mssql logon logs into three categories: common user logon, SA logon, and System User logon.
You need to enable SQL server and windows Authentication and review all of them. Click mssql instance, right-click Properties, and select security from the Security tab.

We focus on SA and system user login.
Mssql system user login log