| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <005401c411cd$aa097190$ad00a8c0@LUFKIN.DPSOL.COM> From: purdy at tecman.com (Curt Purdy) Subject: [inbox] Possible Comprimised IIS 5 on Win2k help James.McDermott@...frb.org wrote: > I think my IIs 5.0(Win2k) Server has been comprimised. I would like to do some > forensics on it to find out how the person got in. I dont want to re-image the > machine and find out he setup a backdoor threw the code and not the o/s Get Vision from Foundstone as a good start, locate the illicite services and files. Do a date search several days around those shown by the services. Once you've found all the files (hopefully), Google until you've found what you've got and figure out how it got there and how to clean it. Also tools like strings is good for analyzing non-text files as well as many other tools from SysInternals. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions ---------------------------------------- If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040324/38c685d6/attachment.html
Powered by blists - more mailing lists