Hello Antonio, If even IIS log cannot be used as the digital evidence, then what else can I used as the digital evidence for confirming the hacker attack? (if I only have IDS and firewall with me) Thanks. Ricci -----Original Message----- From: António Mateus [mailto:amateusat_private] Sent: Monday, September 17, 2001 4:05 AM To: FORENSICSat_private Subject: Re: RE: Special case in investigation Hi, Straight answer: Yes, a hacker _can_ delete specifics entrys in a log file, _IF_ he had permissions to that! Let's see a example: I found a server that have the unicode bug. I play around a while. All my requests are logged in the server. I wait for the change of the logfile (I cannot change it because it's in use) and then delete it, if I have permissions. Other example: With the unicode bug i sucessfully upload and execute a trojan (for example one that gives me remote shell). I now have system permissions (same as IIS account) and then change the logfile (I do not delete) and replace my IP by, lets say, the IP of the webserver ;). Or other one. The point is: if the hacker has _permissions_, than he could change the logs. If he exploit a bug that give him a shell with system or administrator permissions, then he will definitely change the logs. António Mateus > Hello All, > > Basically, the defaced web file on the victim has really got modified. > Based on the timestamp, we really can confirmed that the web file has been > changed at the time when people report the defaced web. > > In other words, only DNS poisoning should not be able to provide the same > result. So can you think of any other reason? Besides, I think we have also > installed but disabled the IIS Frontpage extension. > > But, I would like to know whether the hacker can remove particular entries > in IIS Log and Event Log? Can he/she remove entries of particular time zone? > > Thanks. > > Ricci > > -----Original Message----- > From: Blurred Vision [mailto:blurred_visi0nat_private] > Sent: Tuesday, September 11, 2001 1:49 PM > To: FORENSICSat_private > Cc: ricciat_private > Subject: re: Special case in investigation > > > Ricci, > Could it have been a nameserver compromise? They may > have modified the zone file, and replaced it. It > would certainly explain the total lack of evidence... > and also the 'round' number you reported the server > was 'defaced' for. 15 minutes could well be the > nameserver TTL etc... > > my thoughts anyway... > > BluRRed > > http://travel.yahoo.com.au - Yahoo! Travel > - Got Itchy feet? Get inspired! > > ----------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > > ----------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > -- Crie o seu email gratuito no mail.pt http://www.mail.pt ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Sep 17 2001 - 11:06:03 PDT