lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: asp at webexc.com (Ben Timby)
Subject: Possible Comprimised IIS 5  on Win2k help

Some useful info for beginners is here:
No Stone Unturned: Part One
http://www.securityfocus.com/infocus/1550

It basically presents some ideas for incident response, and provides 
descriptions and links for many useful tools. I would suggest reading 
through that set of articles to get an idea of how you should approach 
things.

Knowing more about your situation can help with more specific 
suggestions, but here are some general ones.

You need to enumerate the ports the machine listens on, and what 
processes have opened these ports. Capture as much information about 
running processes, filesystem timestamps, Event Log, logged in users, 
perhaps even file ACLs before you take the machine down. Preserve this 
information. I generally yank the harddrive at that point, and move it 
to a machine I use to investigate the contents, you can always bring the 
original machine up using a spare harddrive and backups (patch it!) if 
it is important to production. You need to find the logs for the 
legitimate services, so that you know what you need to review. 
Filesystem timestamps can be useful to help you locate the approximate 
time of compromise. Of course, logfiles for network security devices can 
also be useful, but again you need to determine the timeframe.

This is by no means a comprehensive approach, I don't have time to type 
all that up, perhaps others can contribute ideas as well.

James.McDermott@...frb.org wrote:
> I think my IIs 5.0(Win2k) Server has been comprimised. I would like to do 
> some forensics on it to find out how the person got in. I dont want to 
> re-image the machine and find out he setup a backdoor threw the code and 
> not the o/s
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ