RE: Special case in investigation

From: jswoffordat_private
Date: Fri Sep 14 2001 - 12:55:09 PDT

Next message: Rowe, Eric: "RE: Forensics on Word Documents (again)"

Previous message: jamie rishaw: "Re: Forensics on Word Documents"
Maybe in reply to: ricci: "Special case in investigation"
Next in thread: António: "Re: RE: Special case in investigation"
Maybe reply: António: "Re: RE: Special case in investigation"
Reply: jswoffordat_private: "RE: RE: Special case in investigation"
Reply: Thomas Whipp: "RE: RE: Special case in investigation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The IIS logs are just plain text files, so removal of entries is easy.
Removal of Eventlog information is tougher but there are tools available on
the Internet to do this. Does anyone remember their names?  If there was
this level of penetration you may also have a root kit installed, and
therefore, the facts may be there but the tools are lying to you.  Have you
tried examining the disk and files with tools from a good (non-suspect)
source?

Jay Swofford


-----Original Message-----
From: Ricci @ ismart [mailto:ricciat_private] 
Sent: Thursday, September 13, 2001 7:24 PM
To: 'Blurred Vision'; 'FORENSICSat_private'
Subject: RE: Special case in investigation


Hello All,

	Basically, the defaced web file on the victim has really got
modified. Based on the timestamp, we really can confirmed that the web file
has been changed at the time when people report the defaced web.

	In other words, only DNS poisoning should not be able to provide the
same result. So can you think of any other reason? Besides, I think we have
also installed but disabled the IIS Frontpage extension.

	But, I would like to know whether the hacker can remove particular
entries in IIS Log and Event Log? Can he/she remove entries of particular
time zone?

	Thanks.

Ricci

-----Original Message-----
From: Blurred Vision [mailto:blurred_visi0nat_private]
Sent: Tuesday, September 11, 2001 1:49 PM
To: FORENSICSat_private
Cc: ricciat_private
Subject: re: Special case in investigation


Ricci,
  Could it have been a nameserver compromise? They may
have modified the zone file, and replaced it.  It
would certainly explain the total lack of evidence...
and also the 'round' number you reported the server
was 'defaced' for. 15 minutes could well be the
nameserver TTL etc...

my thoughts anyway...

BluRRed

http://travel.yahoo.com.au - Yahoo! Travel
- Got Itchy feet? Get inspired!

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service. For more
information on this free incident handling, management and tracking system
please see: http://aris.securityfocus.com


-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service. For more
information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Rowe, Eric: "RE: Forensics on Word Documents (again)"
Previous message: jamie rishaw: "Re: Forensics on Word Documents"
Maybe in reply to: ricci: "Special case in investigation"
Next in thread: António: "Re: RE: Special case in investigation"
Maybe reply: António: "Re: RE: Special case in investigation"
Reply: jswoffordat_private: "RE: RE: Special case in investigation"
Reply: Thomas Whipp: "RE: RE: Special case in investigation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Sep 16 2001 - 22:59:52 PDT