Full Disclosure mailing list archives
RE: [inbox] Possible Comprimised IIS 5 on Win2k help
From: "Curt Purdy" <purdy () tecman com>
Date: Wed, 24 Mar 2004 12:27:28 -0600
James.McDermott () ny frb org wrote:
I think my IIs 5.0(Win2k) Server has been comprimised. I would like to do
some
forensics on it to find out how the person got in. I dont want to re-image
the
machine and find out he setup a backdoor threw the code and not the o/s
Get Vision from Foundstone as a good start, locate the illicite services and files. Do a date search several days around those shown by the services. Once you've found all the files (hopefully), Google until you've found what you've got and figure out how it got there and how to clean it. Also tools like strings is good for analyzing non-text files as well as many other tools from SysInternals. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions ---------------------------------------- If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke
Current thread:
- Possible Comprimised IIS 5 on Win2k help James . McDermott (Mar 24)
- RE: [inbox] Possible Comprimised IIS 5 on Win2k help Curt Purdy (Mar 24)
- Re: Possible Comprimised IIS 5 on Win2k help Ben Timby (Mar 24)
- Re: Possible Comprimised IIS 5 on Win2k help Harlan Carvey (Mar 24)