Re: diagnose compromise on NT

[H C <keydet89 () yahoo com>]

Jared,

> Does anyone know of any good tools that can be used
> on an NT 4.0 box to
> (help) diagnose a system compromise? I've been
> playing around with inzider with limited results.

Sure, there are a couple of things you can do. 

If you *suspect that the system is compromised, I
would suggest that you run 'netstat -an', fport.exe
(FoundStone), handle.exe (SysInternals), pslist.exe
(SysInternals), and listdlls.exe (SysInternals) on the
system.  If you don't have physical access, but do
have network access to the box, you can use psexec.exe
to run the tools.

Once this is done, and you've captured log files of
each command by redirecting the output of those
commands to files, go to
http://patriot.net/~carvdawg/perl.html and get pd.zip,
which is under Procdmp.pl.  The archive contains a
standalone executable that parses through the 5 log
files you created and consolidates all of the
information into an HTML file...an example of such
output can be seen here:

http://patriot.net/~carvdawg/pd.html

This will help you identify errant processes.

If you do find something suspicious, then check log
files...IIS, FTP, EventLogs, etc.

If you need any help or have any questions about
anything I've said, drop me a line.

Carv


__________________________________________________
Do You Yahoo!?
Yahoo! Health - Feel better, live better
http://health.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com