mailing list archives
Re: Possible Comprimised IIS 5 on Win2k help
From: Ben Timby <asp () webexc com>
Date: Wed, 24 Mar 2004 14:43:21 -0500
Some useful info for beginners is here:
No Stone Unturned: Part One
It basically presents some ideas for incident response, and provides
descriptions and links for many useful tools. I would suggest reading
through that set of articles to get an idea of how you should approach
Knowing more about your situation can help with more specific
suggestions, but here are some general ones.
You need to enumerate the ports the machine listens on, and what
processes have opened these ports. Capture as much information about
running processes, filesystem timestamps, Event Log, logged in users,
perhaps even file ACLs before you take the machine down. Preserve this
information. I generally yank the harddrive at that point, and move it
to a machine I use to investigate the contents, you can always bring the
original machine up using a spare harddrive and backups (patch it!) if
it is important to production. You need to find the logs for the
legitimate services, so that you know what you need to review.
Filesystem timestamps can be useful to help you locate the approximate
time of compromise. Of course, logfiles for network security devices can
also be useful, but again you need to determine the timeframe.
This is by no means a comprehensive approach, I don't have time to type
all that up, perhaps others can contribute ideas as well.
James.McDermott () ny frb org wrote:
I think my IIs 5.0(Win2k) Server has been comprimised. I would like to do
some forensics on it to find out how the person got in. I dont want to
re-image the machine and find out he setup a backdoor threw the code and
not the o/s
Full-Disclosure - We believe in it.