Security Incidents mailing list archives
Re: diagnose compromise on NT
From: H C <keydet89 () yahoo com>
Date: Mon, 22 Jul 2002 10:37:21 -0700 (PDT)
Jared,
Does anyone know of any good tools that can be used on an NT 4.0 box to (help) diagnose a system compromise? I've been playing around with inzider with limited results.
Sure, there are a couple of things you can do. If you *suspect that the system is compromised, I would suggest that you run 'netstat -an', fport.exe (FoundStone), handle.exe (SysInternals), pslist.exe (SysInternals), and listdlls.exe (SysInternals) on the system. If you don't have physical access, but do have network access to the box, you can use psexec.exe to run the tools. Once this is done, and you've captured log files of each command by redirecting the output of those commands to files, go to http://patriot.net/~carvdawg/perl.html and get pd.zip, which is under Procdmp.pl. The archive contains a standalone executable that parses through the 5 log files you created and consolidates all of the information into an HTML file...an example of such output can be seen here: http://patriot.net/~carvdawg/pd.html This will help you identify errant processes. If you do find something suspicious, then check log files...IIS, FTP, EventLogs, etc. If you need any help or have any questions about anything I've said, drop me a line. Carv __________________________________________________ Do You Yahoo!? Yahoo! Health - Feel better, live better http://health.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- diagnose compromise on NT Ingersoll, Jared (Jul 22)
- Re: diagnose compromise on NT Patrick Andry (Jul 22)
- Re: diagnose compromise on NT H C (Jul 22)
- <Possible follow-ups>
- RE: diagnose compromise on NT Hornat, Charles (Jul 22)