Security Incidents mailing list archives
Re: NKADM rootkit - Something new?
From: Paul Schmehl <pauls () utdallas edu>
Date: Wed, 26 May 2004 14:12:44 -0500
--On Wednesday, May 26, 2004 09:32:00 AM -0700 Harlan Carvey <keydet89 () yahoo com> wrote:
I agree, Harlan. In general, here's what I do to examine a Windows box that is suspected of compromise (much of this requires tools which I have accumulated on a CD - Foundstone, Sysinternals, etc.):This is an excellent example of what happens when you take the easy route and look at something (particularly on Windows systems) based on filenames or open ports...both are configurable in most cases.
1) scan for open ports (from another host)2) run a full virus scan on the machine (by full I mean heuristics, all files, archived files, Mime encoded files, etc., etc.) 3) search for all files *created* just prior to the suspected compromise date 4) search for all *.ini files and inspect the unusual ones - this usually yields a treasure trove of file names and locations (I once found a text file that had nothing in it except "You're pretty good if you found this!")
5) Look for anything stored in the Recycler folders on each hard drive 6) Inspect all Run keys in the registry 7) Look at all running services8) Look in %windir%\%system32%\drivers and its subfolders (favorite hiding place)
9) Look in all Temp directories (another favorite hiding place) 10) inspect all logs for evidence of a break-in dateFrankly, I could care less about the filenames. They're seldom useful anyway. I've seen ServU named almost anything from servuftp.exe to svchost.exe to setup.exe.
Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ir/security/
Current thread:
- NKADM rootkit - Something new? Jeremy Pollack (May 26)
- Re: NKADM rootkit - Something new? Brian Eckman (May 26)
- Re: NKADM rootkit - Something new? Harlan Carvey (May 26)
- Re: NKADM rootkit - Something new? Paul Schmehl (May 26)
- Re: NKADM rootkit - Something new? Paul Schmehl (May 27)
- Re: NKADM rootkit - Something new? Robert P. McKenzie (May 27)
- Re: NKADM rootkit - Something new? Pho Man (May 27)
- Re: NKADM rootkit - Something new? Harlan Carvey (May 27)
- RE: NKADM rootkit - Something new? Don Wolf (May 28)
- RE: NKADM rootkit - Something new? Harlan Carvey (May 28)
- Re: NKADM rootkit - Something new? Gadi Evron (May 31)
- Re: NKADM rootkit - Something new? Harlan Carvey (May 26)
- Re: NKADM rootkit - Something new? Brian Eckman (May 26)
- Re: NKADM rootkit - Something new? InfoSec (May 27)
- RE: NKADM rootkit - Something new? Dave Paris (May 28)