You can use a tool such as WinHex or some other disk hex reader to search slack space and unused areas of the disk for "tracks". A lot of this is educated guesswork, intuition and knowledge of your own system. For instance, if you know certain strings that appeared in the defaced page, you can search the disk for those strings. Their presence might be next to more evidence about the hacker and it's methods. WinHex is available at http://download.cnet.com/downloads/0-4003619-100-6535814.html. The save option is limited until you register, but it works great for quick searches of a disk, ram, etc. One hint is to search the physical disk as well as the logical disk. Also, have you searched the disk for files modified at the same time as the attack in any location? Jay Swofford -----Original Message----- From: Ricci @ ismart [mailto:ricciat_private] Sent: Sunday, September 16, 2001 11:36 PM To: 'António Mateus'; FORENSICSat_private Subject: RE: RE: Special case in investigation Importance: High Hello Antonio, If even IIS log cannot be used as the digital evidence, then what else can I used as the digital evidence for confirming the hacker attack? (if I only have IDS and firewall with me) Thanks. Ricci -----Original Message----- From: António Mateus [mailto:amateusat_private] Sent: Monday, September 17, 2001 4:05 AM To: FORENSICSat_private Subject: Re: RE: Special case in investigation Hi, Straight answer: Yes, a hacker _can_ delete specifics entrys in a log file, _IF_ he had permissions to that! Let's see a example: I found a server that have the unicode bug. I play around a while. All my requests are logged in the server. I wait for the change of the logfile (I cannot change it because it's in use) and then delete it, if I have permissions. Other example: With the unicode bug i sucessfully upload and execute a trojan (for example one that gives me remote shell). I now have system permissions (same as IIS account) and then change the logfile (I do not delete) and replace my IP by, lets say, the IP of the webserver ;). Or other one. The point is: if the hacker has _permissions_, than he could change the logs. If he exploit a bug that give him a shell with system or administrator permissions, then he will definitely change the logs. António Mateus > Hello All, > > Basically, the defaced web file on the victim has really got modified. > Based on the timestamp, we really can confirmed that the web file has been > changed at the time when people report the defaced web. > > In other words, only DNS poisoning should not be able to provide the same > result. So can you think of any other reason? Besides, I think we have also > installed but disabled the IIS Frontpage extension. > > But, I would like to know whether the hacker can remove particular entries > in IIS Log and Event Log? Can he/she remove entries of particular time zone? > > Thanks. > > Ricci > > -----Original Message----- > From: Blurred Vision [mailto:blurred_visi0nat_private] > Sent: Tuesday, September 11, 2001 1:49 PM > To: FORENSICSat_private > Cc: ricciat_private > Subject: re: Special case in investigation > > > Ricci, > Could it have been a nameserver compromise? They may > have modified the zone file, and replaced it. It > would certainly explain the total lack of evidence... > and also the 'round' number you reported the server > was 'defaced' for. 15 minutes could well be the > nameserver TTL etc... > > my thoughts anyway... > > BluRRed > > http://travel.yahoo.com.au - Yahoo! Travel > - Got Itchy feet? Get inspired! > > ----------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. For > more information on this free incident handling, management and > tracking system please see: http://aris.securityfocus.com > > > ----------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. For > more information on this free incident handling, management and > tracking system please see: http://aris.securityfocus.com > -- Crie o seu email gratuito no mail.pt http://www.mail.pt ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 08:10:58 PDT