lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <005401c411cd$aa097190$ad00a8c0@LUFKIN.DPSOL.COM>
From: purdy at tecman.com (Curt Purdy)
Subject: [inbox] Possible Comprimised IIS 5  on Win2k help

 James.McDermott@...frb.org  wrote:
> I think my IIs 5.0(Win2k) Server has been comprimised. I would like to do
some
> forensics on it to find out how the person got in. I dont want to re-image
the
> machine and find out he setup a backdoor threw the code and not the o/s

Get Vision from Foundstone as a good start, locate the illicite services and
files.  Do a date search several days around those shown by the services.
Once you've found all the files (hopefully), Google until you've found what
you've got and figure out how it got there and how to clean it.  Also tools
like strings is good for analyzing non-text files as well as many other
tools from SysInternals.

Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA
Information Security Engineer
DP Solutions

----------------------------------------

If you spend more on coffee than on IT security, you will be hacked.
What's more, you deserve to be hacked.
-- White House cybersecurity adviser Richard Clarke
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040324/38c685d6/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ