|
Já vi muitos textos que falavam que se você
tentar invadir alguém não esqueça de apagar os LOGs (arquivos que ficam as
informações de tudo que você fez quando conectado aquela pessoa). Puta merda,
eu ficava pensando onde poderia ficar esses arquivos, que nome teriam, como
seriam, etc...
Mas quem diria não
achei nada sobre isso em lugar nenhum, tive que me fuder pra achar esses logs, e
só sei onde fica o do Windows NT!
Bom, e é pra isso
que resolvi fazer essa seção, para falar como funciona os logs do Win NT e
onde ficam eles! Então vamos lá:
Os diretórios que
ficam os arquivos de logs são (Obs.: "c:\winnt" = diretório do
Windows NT):
"C:\WINNT\system32\LogFiles\W3SVC1\"
e "C:\WINNT\system32\LogFiles\MSFTPSVC1\"
Sendo que no primeiro diretório
fica os arquivos logs (*.log) da Home Page saca? Tipo: se o endereço da Home
Page que usa o Windows NT como server é "www.foda.com.br" então
sempre que você acessar este endereço você estará sendo monitorado, tudo que
você fizer lá na home page, desde um simples clique num link até uma
tentativa de ataca por CGI será gravado no arquivo de log do dia corrente
(explicado mais a frente).
No segundo endereço
fica os logs do servidor de FTP, que no caso acima poderia ser "ftp.foda.com.br"
e às vezes até mesmo "www.foda.com.br" serve para conectar-se por
FTP, mas assim como os logs do primeiro diretório, o de FTP tb grava tudo que
você faz, tudo! Se você se conectou como "anonymous" a senha que você
usou para acessar será gravada junto com seu IP, e a cada comando que você
fizer será gravada um nova linha no arquivo log do dia corrente!
Os arquivos são
gerados altomaticamente pela Bosta do NT, e tem a seguinte forma:
Ex.: "ìn990926.log"
==> todos os logs começam com "in" ==> os números são a data
de trás para frente, no caso do exemplo esse arquivo contem tudo sobre as conexões
feitas no servidor no dia 26/09/1999. Se fosse um arquivo
"in991030.log" ele conteria tudo sobre as conexões do dia 30/10/1999!
saco?
Aqui vai uma pedaço
de um arquivo de log de Windows NT4 do diretório "C:\WINNT\system32\LogFiles\MSFTPSVC1\":
ip
, user , data , hora
, tipo (acho) , nome do srv, ip do srv, *, *, *, *, *, [nº dele do dia]comando,
valor, *,
* ==> significa que não sei o que é!
200.239.60.75, anonymous, 8/9/99,
21:50:31, MSFTPSVC1, SRV16, 200.239.60.19, 0, 0, 0, 331, 0, [41]USER, anonymous,
-,
200.239.60.75, IE30User@, 8/9/99, 21:50:31, MSFTPSVC1, SRV16, 200.239.60.19, 0,
0, 0, 230, 0, [41]PASS, IE30User@, -,
200.239.60.75, anonymous, 8/9/99, 21:51:05, MSFTPSVC1, SRV16, 200.239.60.19, 0,
0, 0, 331, 0, [42]USER, anonymous, -,
200.239.60.75, getright@, 8/9/99, 21:51:05, MSFTPSVC1, SRV16, 200.239.60.19, 0,
0, 0, 230, 0, [42]PASS, getright@, -,
200.239.60.180, orgatec, 8/9/99, 21:58:17, MSFTPSVC1, SRV16, 200.239.60.19,
477196, 1021756, 0, 226, 0, [39]created, fyscal.exe, -,
200.239.60.75, getright@, 8/9/99, 22:04:27, MSFTPSVC1, SRV16, 200.239.60.19,
801222, 0, 2632016, 226, 0, [42]sent, /takeover/MP3/Blitz - Cruel Esquizofrenético
Blues.mp3, -,
200.239.60.180, orgatec, 8/9/99, 22:05:08, MSFTPSVC1, SRV16, 200.239.60.19,
411272, 882005, 0, 226, 0, [39]created, syspag.exe, -,
200.239.60.180, orgatec, 8/9/99, 22:05:23, MSFTPSVC1, SRV16, 200.239.60.19, 0,
0, 0, 226, 0, [39]QUIT, -, -,
200.239.60.86, lider, 8/9/99, 22:15:29, MSFTPSVC1, SRV16, 200.239.60.19, 0, 0,
0, 331, 0, [43]USER, lider, -,
200.239.60.86, lider, 8/9/99, 22:15:31, MSFTPSVC1, SRV16, 200.239.60.19, 651, 0,
0, 230, 0, [43]PASS, -, -,
200.239.60.86, lider, 8/9/99, 22:18:37, MSFTPSVC1, SRV16, 200.239.60.19, 157967,
386830, 0, 226, 0, [43]created, modelle.exe, -,
200.239.60.86, lider, 8/9/99, 22:22:16, MSFTPSVC1, SRV16, 200.239.60.19, 217482,
530643, 0, 226, 0, [43]created, notas.exe, -,
200.239.60.86, lider, 8/9/99, 22:26:48, MSFTPSVC1, SRV16, 200.239.60.19, 271340,
649159, 0, 226, 0, [43]created, recpag.exe, -,
200.239.60.86, lider, 8/9/99, 22:29:40, MSFTPSVC1, SRV16, 200.239.60.19, 4537,
12365, 0, 226, 0, [43]created, home5w.htm, -,
200.239.60.86, lider, 8/9/99, 22:31:58, MSFTPSVC1, SRV16, 200.239.60.19, 119051,
282999, 0, 226, 0, [43]created, liderct.zip, -,
200.239.60.86, lider, 8/9/99, 22:32:05, MSFTPSVC1, SRV16, 200.239.60.19, 0, 0,
0, 226, 0, [43]QUIT, -, -,
200.239.60.47, administrator, 8/9/99, 23:08:24, MSFTPSVC1, SRV16, 200.239.60.19,
0, 0, 0, 331, 0, [44]USER, administrator, -,
200.239.60.47, administrator, 8/9/99, 23:08:24, MSFTPSVC1, SRV16, 200.239.60.19,
671, 0, 0, 230, 0, [44]PASS, -, -,
200.239.60.47, administrator, 8/9/99, 23:11:12, MSFTPSVC1, SRV16, 200.239.60.19,
1272, 548, 0, 226, 0, [44]created, bg.jpg, -,
200.239.60.47, administrator, 8/9/99, 23:11:14, MSFTPSVC1, SRV16, 200.239.60.19,
1982, 2703, 0, 226, 0, [44]created, diginet.gif, -,
200.239.60.47, administrator, 8/9/99, 23:11:19, MSFTPSVC1, SRV16, 200.239.60.19,
4957, 21626, 0, 226, 0, [44]created, ft01.jpg, -,
200.239.60.47, administrator, 8/9/99, 23:11:24, MSFTPSVC1, SRV16, 200.239.60.19,
4446, 18209, 0, 226, 0, [44]created, ft02.jpg, -,
200.239.60.47, administrator, 8/9/99, 23:11:30, MSFTPSVC1, SRV16, 200.239.60.19,
5217, 22522, 0, 226, 0, [44]created, ft03.jpg, -,
200.239.60.47, administrator, 8/9/99, 23:11:35, MSFTPSVC1, SRV16, 200.239.60.19,
5057, 23212, 0, 226, 0, [44]created, ft04.jpg, -,
200.239.60.47, administrator, 8/9/99, 23:11:38, MSFTPSVC1, SRV16, 200.239.60.19,
2073, 4285, 0, 226, 0, [44]created, home-01-01.jpg, -,
200.239.60.47, administrator, 8/9/99, 23:11:40, MSFTPSVC1, SRV16, 200.239.60.19,
2153, 4634, 0, 226, 0, [44]created, home-01-02.jpg, -,
200.239.60.47, administrator, 8/9/99, 23:11:43, MSFTPSVC1, SRV16, 200.239.60.19,
2373, 5026, 0, 226, 0, [44]created, home-01-03.jpg, -,
200.239.60.47, administrator, 8/9/99, 23:11:45, MSFTPSVC1, SRV16, 200.239.60.19,
1842, 4474, 0, 226, 0, [44]created, home-02-01.jpg, -,
200.239.60.47, administrator, 8/9/99, 23:11:48, MSFTPSVC1, SRV16, 200.239.60.19,
2394, 6033, 0, 226, 0, [44]created, home-02-02.jpg, -,
200.239.60.47, administrator, 8/9/99, 23:11:51, MSFTPSVC1, SRV16, 200.239.60.19,
2243, 5352, 0, 226, 0, [44]created, home-02-03.jpg, -,
200.239.60.47, administrator, 8/9/99, 23:11:53, MSFTPSVC1, SRV16, 200.239.60.19,
1933, 4245, 0, 226, 0, [44]created, interativa.gif, -,
ip
, user , data , hora
, tipo (acho) , nome do srv, ip do srv, *, *, *, *, *, [nº dele do dia]comando,
valor, *,
* ==> significa que nao sei o que é!
200.239.60.75, anonymous, 8/9/99,
21:50:31, MSFTPSVC1, SRV16, 200.239.60.19, 0, 0, 0, 331, 0, [41]USER, anonymous,
-,
200.239.60.75, IE30User@, 8/9/99, 21:50:31, MSFTPSVC1, SRV16, 200.239.60.19, 0,
0, 0, 230, 0, [41]PASS, IE30User@, -,
200.239.60.75, anonymous, 8/9/99, 21:51:05, MSFTPSVC1, SRV16, 200.239.60.19, 0,
0, 0, 331, 0, [42]USER, anonymous, -,
200.239.60.75, getright@, 8/9/99, 21:51:05, MSFTPSVC1, SRV16, 200.239.60.19, 0,
0, 0, 230, 0, [42]PASS, getright@, -,
200.239.60.180, orgatec, 8/9/99, 21:58:17, MSFTPSVC1, SRV16, 200.239.60.19,
477196, 1021756, 0, 226, 0, [39]created, fyscal.exe, -,
200.239.60.75, getright@, 8/9/99, 22:04:27, MSFTPSVC1, SRV16, 200.239.60.19,
801222, 0, 2632016, 226, 0, [42]sent, /takeover/MP3/Blitz - Cruel Esquizofrenético
Blues.mp3, -,
200.239.60.180, orgatec, 8/9/99, 22:05:08, MSFTPSVC1, SRV16, 200.239.60.19,
411272, 882005, 0, 226, 0, [39]created, syspag.exe, -,
200.239.60.180, orgatec, 8/9/99, 22:05:23, MSFTPSVC1, SRV16, 200.239.60.19, 0,
0, 0, 226, 0, [39]QUIT, -, -,
200.239.60.86, lider, 8/9/99, 22:15:29, MSFTPSVC1, SRV16, 200.239.60.19, 0, 0,
0, 331, 0, [43]USER, lider, -,
200.239.60.86, lider, 8/9/99, 22:15:31, MSFTPSVC1, SRV16, 200.239.60.19, 651, 0,
0, 230, 0, [43]PASS, -, -,
200.239.60.86, lider, 8/9/99, 22:18:37, MSFTPSVC1, SRV16, 200.239.60.19, 157967,
386830, 0, 226, 0, [43]created, modelle.exe, -,
200.239.60.86, lider, 8/9/99, 22:22:16, MSFTPSVC1, SRV16, 200.239.60.19, 217482,
530643, 0, 226, 0, [43]created, notas.exe, -,
200.239.60.86, lider, 8/9/99, 22:26:48, MSFTPSVC1, SRV16, 200.239.60.19, 271340,
649159, 0, 226, 0, [43]created, recpag.exe, -,
200.239.60.86, lider, 8/9/99, 22:29:40, MSFTPSVC1, SRV16, 200.239.60.19, 4537,
12365, 0, 226, 0, [43]created, home5w.htm, -,
200.239.60.86, lider, 8/9/99, 22:31:58, MSFTPSVC1, SRV16, 200.239.60.19, 119051,
282999, 0, 226, 0, [43]created, liderct.zip, -,
200.239.60.86, lider, 8/9/99, 22:32:05, MSFTPSVC1, SRV16, 200.239.60.19, 0, 0,
0, 226, 0, [43]QUIT, -, -,
200.239.60.47, administrator, 8/9/99, 23:08:24, MSFTPSVC1, SRV16, 200.239.60.19,
0, 0, 0, 331, 0, [44]USER, administrator, -,
200.239.60.47, administrator, 8/9/99, 23:08:24, MSFTPSVC1, SRV16, 200.239.60.19,
671, 0, 0, 230, 0, [44]PASS, -, -,
200.239.60.47, administrator, 8/9/99, 23:11:12, MSFTPSVC1, SRV16, 200.239.60.19,
1272, 548, 0, 226, 0, [44]created, bg.jpg, -,
200.239.60.47, administrator, 8/9/99, 23:11:14, MSFTPSVC1, SRV16, 200.239.60.19,
1982, 2703, 0, 226, 0, [44]created, diginet.gif, -,
200.239.60.47, administrator, 8/9/99, 23:11:19, MSFTPSVC1, SRV16, 200.239.60.19,
4957, 21626, 0, 226, 0, [44]created, ft01.jpg, -,
200.239.60.47, administrator, 8/9/99, 23:11:24, MSFTPSVC1, SRV16, 200.239.60.19,
4446, 18209, 0, 226, 0, [44]created, ft02.jpg, -,
200.239.60.47, administrator, 8/9/99, 23:11:30, MSFTPSVC1, SRV16, 200.239.60.19,
5217, 22522, 0, 226, 0, [44]created, ft03.jpg, -,
200.239.60.47, administrator, 8/9/99, 23:11:35, MSFTPSVC1, SRV16, 200.239.60.19,
5057, 23212, 0, 226, 0, [44]created, ft04.jpg, -,
200.239.60.47, administrator, 8/9/99, 23:11:38, MSFTPSVC1, SRV16, 200.239.60.19,
2073, 4285, 0, 226, 0, [44]created, home-01-01.jpg, -,
200.239.60.47, administrator, 8/9/99, 23:11:40, MSFTPSVC1, SRV16, 200.239.60.19,
2153, 4634, 0, 226, 0, [44]created, home-01-02.jpg, -,
200.239.60.47, administrator, 8/9/99, 23:11:43, MSFTPSVC1, SRV16, 200.239.60.19,
2373, 5026, 0, 226, 0, [44]created, home-01-03.jpg, -,
200.239.60.47, administrator, 8/9/99, 23:11:45, MSFTPSVC1, SRV16, 200.239.60.19,
1842, 4474, 0, 226, 0, [44]created, home-02-01.jpg, -,
200.239.60.47, administrator, 8/9/99, 23:11:48, MSFTPSVC1, SRV16, 200.239.60.19,
2394, 6033, 0, 226, 0, [44]created, home-02-02.jpg, -,
200.239.60.47, administrator, 8/9/99, 23:11:51, MSFTPSVC1, SRV16, 200.239.60.19,
2243, 5352, 0, 226, 0, [44]created, home-02-03.jpg, -,
200.239.60.47, administrator, 8/9/99, 23:11:53, MSFTPSVC1, SRV16, 200.239.60.19,
1933, 4245, 0, 226, 0, [44]created, interativa.gif, -,
|
