Hello All, Basically, the defaced web file on the victim has really got modified. Based on the timestamp, we really can confirmed that the web file has been changed at the time when people report the defaced web. In other words, only DNS poisoning should not be able to provide the same result. So can you think of any other reason? Besides, I think we have also installed but disabled the IIS Frontpage extension. But, I would like to know whether the hacker can remove particular entries in IIS Log and Event Log? Can he/she remove entries of particular time zone? Thanks. Ricci -----Original Message----- From: Blurred Vision [mailto:blurred_visi0nat_private] Sent: Tuesday, September 11, 2001 1:49 PM To: FORENSICSat_private Cc: ricciat_private Subject: re: Special case in investigation Ricci, Could it have been a nameserver compromise? They may have modified the zone file, and replaced it. It would certainly explain the total lack of evidence... and also the 'round' number you reported the server was 'defaced' for. 15 minutes could well be the nameserver TTL etc... my thoughts anyway... BluRRed http://travel.yahoo.com.au - Yahoo! Travel - Got Itchy feet? Get inspired! ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Sep 14 2001 - 12:19:20 PDT