Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Possible Comprimised IIS 5 on Win2k help
From: Ben Timby <asp () webexc com>
Date: Wed, 24 Mar 2004 14:43:21 -0500

Some useful info for beginners is here:
No Stone Unturned: Part One
http://www.securityfocus.com/infocus/1550

It basically presents some ideas for incident response, and provides descriptions and links for many useful tools. I would suggest reading through that set of articles to get an idea of how you should approach things.

Knowing more about your situation can help with more specific suggestions, but here are some general ones.

You need to enumerate the ports the machine listens on, and what processes have opened these ports. Capture as much information about running processes, filesystem timestamps, Event Log, logged in users, perhaps even file ACLs before you take the machine down. Preserve this information. I generally yank the harddrive at that point, and move it to a machine I use to investigate the contents, you can always bring the original machine up using a spare harddrive and backups (patch it!) if it is important to production. You need to find the logs for the legitimate services, so that you know what you need to review. Filesystem timestamps can be useful to help you locate the approximate time of compromise. Of course, logfiles for network security devices can also be useful, but again you need to determine the timeframe.

This is by no means a comprehensive approach, I don't have time to type all that up, perhaps others can contribute ideas as well.

James.McDermott () ny frb org wrote:
I think my IIs 5.0(Win2k) Server has been comprimised. I would like to do some forensics on it to find out how the person got in. I dont want to re-image the machine and find out he setup a backdoor threw the code and not the o/s


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]