I would start with an IDS. If all you know is Windows, you can still use
some of the best *nix tools:
Windump-
http://netgroup-serv.polito.it/windump/
A basic packet sniffer, modeled after tcpdump. You'll need at least the
libpcap drivers in order to run either of the next two programs.
Ngrep-
http://www.packetfactory.net/Projects/ngrep/
"Network grep", a packet sniffer/decoder to search for patterns in network
traffic with regular expressions
Snort-
http://www.snort.org
Popular network intrusion detection system. Add-ons like snortsnarf allow
you to produce nice web-based reports of activity. The Microsoft section of
SecurityFocus.com (below) has an article about running Snort on IIS servers.
Optimally you should run these on a *separate* machine which is physically
on the same LAN segment. If you are compromised an intruder can use these
against you. If you have a switch you'll either need to configure port
mirroring or install a hub between the suspect server and the switch. I
would first perform a clean install of your operating system, and then
follow all of the hardening instructions here:
http://www.securityfocus.com/frames/index.html?focus=microsoft
Use the links on the left sidebar for IIS and NT
Also, if you know some accounts that have been compromised, you might be
able to find the intruder with a web bug. Assuming he/she is using a mail
client that loads graphics, send an html-formatted mail to that account,
with a call to a1x1 transparent gif. Point it at a file on a web server that
isn't linked anywhere else, and then monitor your server logs to learn the
cracker's IP address. Spammer's use this trick all the time, except that
they also pass information in the call to the image so that they can track
which recipients are reading their spam. If I were going to try this
approach, I'd actually send it inside actual recycled spam, I've received,
but giving it an interesting subject line like "security changes". I'd also
send it from a free/outside provider, preferably one that doesn't reveal
your source IP.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Kyrre Wathne
Sent: Thursday, September 20, 2001 5:47 AM
To: [EMAIL PROTECTED]
Subject: [IMail Forum] Blackmail by hacker
Hello. I'm being blackmailed by a user who claims he has gained
unauthorized
access to other users' accounts. I'm running IMail 6.06 with the user db
in
MSSQL 7. Am also running IIS5 on the same server. Any ideas on how I can
track down potential security holes?
Thanks,
Kyrre
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
An Archive of this list is available at:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
An Archive of this list is available at:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
An Archive of this list is available at:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
