[EMAIL PROTECTED]
wrote:
> I think my IIs 5.0(Win2k) Server has been comprimised. I would like to do some
> I think my IIs 5.0(Win2k) Server has been comprimised. I would like to do some
> forensics on it to find out how the person
got in. I dont want to re-image the
> machine and find out he setup a backdoor
threw the code and not the o/s
Get Vision from Foundstone as a good start, locate the
illicite services and files. Do a date search several days around those
shown by the services. Once you've found all the files (hopefully), Google
until you've found what you've got and figure out how it got there and how to
clean it. Also tools like strings is good for analyzing non-text files as
well as many other tools from SysInternals.
Curt Purdy CISSP, GSEC, MCSE+I, CNE,
CCDA
Information Security
Engineer
DP Solutions
----------------------------------------
If you spend more on coffee than on IT
security, you will be hacked.
What's
more, you deserve to be hacked.
--
White House cybersecurity adviser Richard Clarke
