home
contact :: legal :: webstats
also in this section:

adminz

subject: (Fwd) Re: diagnose compromise on NT
posted: Wed, 24 Jul 2002 18:59:40 +0100



------- Forwarded message follows -------
Date sent: Mon, 22 Jul 2002 10:37:21 -0700 (PDT)
From: H C <[email protected]>
Subject: Re: diagnose compromise on NT
To: "Ingersoll, Jared" <[email protected]>, [email protected]
Copies to: [email protected], [email protected]

[ Double-click this line for list subscription options ]

Jared,

> Does anyone know of any good tools that can be used
> on an NT 4.0 box to
> (help) diagnose a system compromise? I've been
> playing around with inzider with limited results.

Sure, there are a couple of things you can do.

If you *suspect that the system is compromised, I
would suggest that you run 'netstat -an', fport.exe
(FoundStone), handle.exe (SysInternals), pslist.exe
(SysInternals), and listdlls.exe (SysInternals) on the
system. If you don't have physical access, but do
have network access to the box, you can use psexec.exe
to run the tools.

Once this is done, and you've captured log files of
each command by redirecting the output of those
commands to files, go to
http://patriot.net/~carvdawg/perl.html and get pd.zip,
which is under Procdmp.pl. The archive contains a
standalone executable that parses through the 5 log
files you created and consolidates all of the
information into an HTML file...an example of such
output can be seen here:

http://patriot.net/~carvdawg/pd.html

This will help you identify errant processes.

If you do find something suspicious, then check log
files...IIS, FTP, EventLogs, etc.

If you need any help or have any questions about
anything I've said, drop me a line.

Carv


__________________________________________________
Do You Yahoo!?
Yahoo! Health - Feel better, live better
http://health.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
------- End of forwarded message -------

---
* Origin: [adminz] tech, security, support (192.168.0.2)

generated by msg2page 0.06 on Jul 21, 2006 at 19:04:37

 search:
this site only
Like this site?
Your donation
is welcome!