Tracing what NMAP and Dameware has looked at!!!

[AndrewTait]

I have been asked to look at a server which is running NT4.0 which acts as a gateway to the internet via an NTL business broadband connection for browsing and e-mail access. The machine is running MS Proxy 2.0 and Exchange 5.5 as the mail server element. This is then connected to a LAN using a seperate network card, and different ip address range.

The machine has recently been hit with Dameware, and has NMAP installed on it (but not by the owners of the server, suprise suprise!!!) via the internet, judging by the name of the machine which has been logged in the security event log. Is there any way of looking at log files produced by these programs to see what has been looked at on other machines on the network?

What else should I be looking for in the same sort of arena in order to give my boss a difinitive answer as to what has or has not been accessed?

Any help would be appreciated.

Cheers,

Andrew

 

[PcLinuxGuru]

Basically do a Find all and select the advanced time option and search for * with the time/date that the software was installed.

From the looks of it someone got on your server and port scanned your internal network. NMAP is used for port scanning and the only reason it would be there is for that reason.

You can goto

http://www.dameware.com/

and read all about dame wear. It is possible that a previous admin possibly installed it unless your the only one and the date is valid.

What I suggest is to look at the ownership of the executables and you will see the username used when that software was installed and there by takeing further action by uninstalling it and changing the password.

There are many more security related thing you can do but I will leave you at that for now.

Let us know if there is any questions

 

[SgtB]

Here's an idea! Get a firewall! I know, sounds crazy right, but I hear people actually use them!
[/sarcasm]
Tear down your proxy, and rebuild it from scratch. Put in a firewall before the proxy, and apply an appropriate rulebase.

As far as what has been compromised. Logs. They're you're only hope now. Of course you could always keep the compromised box up and running, and sniff whats going in and out. You'll see what the nasty is trying to get at. Although, that is a very bad idea, it will still tell you whats been compromised.

Either way, get the firewall, rebuild the proxy/email server, then scan your network for trojans and virus.

On a side note, NMAP logs wouldn't really help you since he probably scanned everything on your network. Then attacked what he wanted. ________________________________________
Check out

http://www.security-forums.com

 

[AndrewTait]

Thanks for the info guys - much appreciated.

Just so that you know, the idea was to find out what had been accessed in the past. We know 1 server had been "targetted", but needed to give some level of assurance that the other servers on the same physical, but different logical network had not.

The server in question had already been removed from the internet connection, so the firewall is not an issue. We are now going to pass e-mail & internet access through the corporate e-mail system and related firewalls.

Thnaks again,

Andrew