Re: Possible Comprimised IIS 5 on Win2k help

[Ben Timby <asp () webexc com>]

Some useful info for beginners is here:
No Stone Unturned: Part One
http://www.securityfocus.com/infocus/1550

It basically presents some ideas for incident response, and provides 
descriptions and links for many useful tools. I would suggest reading 
through that set of articles to get an idea of how you should approach 
things.

Knowing more about your situation can help with more specific 
suggestions, but here are some general ones.

You need to enumerate the ports the machine listens on, and what 
processes have opened these ports. Capture as much information about 
running processes, filesystem timestamps, Event Log, logged in users, 
perhaps even file ACLs before you take the machine down. Preserve this 
information. I generally yank the harddrive at that point, and move it 
to a machine I use to investigate the contents, you can always bring the 
original machine up using a spare harddrive and backups (patch it!) if 
it is important to production. You need to find the logs for the 
legitimate services, so that you know what you need to review. 
Filesystem timestamps can be useful to help you locate the approximate 
time of compromise. Of course, logfiles for network security devices can 
also be useful, but again you need to determine the timeframe.

This is by no means a comprehensive approach, I don't have time to type 
all that up, perhaps others can contribute ideas as well.

James.McDermott () ny frb org wrote:
> I think my IIs 5.0(Win2k) Server has been comprimised. I would like to do 
> some forensics on it to find out how the person got in. I dont want to 
> re-image the machine and find out he setup a backdoor threw the code and 
> not the o/s

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html