Paul, I have a script set just for investigating intrusions on a MSFT OS network.
It begins with an excessive failed login script and goes from there. Look it over here: http://www.infragard.net/library/congress_05/computer_forensics/index.htm If you think the toolbox will help you , let me know and I will send it to you, or anyone that would like a copy. Or, you can just cut and paste the scripts from the PDF, and use them manually. If you find any of the above useful, you should definitely take a look at the Microsoft Log Parser Toolkit: http://www.syngress.com/catalog/?pid=3110 Regards, Dave -----Original Message----- From: Harlan Carvey [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 15, 2005 06:11 To: [EMAIL PROTECTED]; 'Paul Greene'; [email protected] Subject: RE: break in? Laura, > Okay, a few things first: > > 1. You say you saw lots of failed login attempts. > Did you see any successful ones? Good call. > 2. The printers that appeared on your DC are normal. > By default, the RDP > client will try to install the printers that are installed on the > client machine into the terminal session, as well. Very interesting. > 3. Have you run netstat to see what's trying to connect to the ftp and > web sites? I'd recommend netstat -b -v so you can see the executables > that spawned the processes making the connections. I wasn't aware that the -b switch worked on Win2K...I thought that it was only XP that the switch worked on. I'll have to try that one at home later, on a Win2K VMWare session. The OP stated in his post, "I have a Win2K domain controller running on my home network..." Harlan ------------------------------------------ Harlan Carvey, CISSP "Windows Forensics and Incident Recovery" http://www.windows-ir.com http://windowsir.blogspot.com ------------------------------------------ ----------------------------------------------------------- ---------------- ----------------------------------------------------------- ---------------- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
