I depends on the volume of your site but have you checked for periods *without* entries... on a moderate volume site this would be likely to indicate block removal of entries. Of course if you only get a couple of hundred hits a day then thats not going to tell you anything. Tom > -----Original Message----- > From: Ricci @ ismart [mailto:ricciat_private] > Sent: 17 September 2001 07:36 > To: 'António Mateus'; FORENSICSat_private > Subject: RE: RE: Special case in investigation > Importance: High > > > Hello Antonio, > > If even IIS log cannot be used as the digital evidence, > then what else can > I used as the digital evidence for confirming the hacker > attack? (if I only > have IDS and firewall with me) > > Thanks. > > Ricci > > -----Original Message----- > From: António Mateus [mailto:amateusat_private] > Sent: Monday, September 17, 2001 4:05 AM > To: FORENSICSat_private > Subject: Re: RE: Special case in investigation > > > Hi, > > Straight answer: Yes, a hacker _can_ delete specifics entrys > in a log file, > _IF_ he had permissions to that! > > Let's see a example: > I found a server that have the unicode bug. I play around a > while. All my > requests are logged in the server. I wait for the change of > the logfile (I > cannot change it because it's in use) and then delete it, if I have > permissions. > Other example: With the unicode bug i sucessfully upload and execute a > trojan (for example one that gives me remote shell). I now have system > permissions (same as IIS account) and then change the logfile > (I do not > delete) and replace my IP by, lets say, the IP of the webserver ;). Or > other one. > The point is: if the hacker has _permissions_, than he could > change the > logs. If he exploit a bug that give him a shell with system or > administrator permissions, then he will definitely change the logs. > > António Mateus > > > Hello All, > > > > Basically, the defaced web file on the victim has really got > modified. > > Based on the timestamp, we really can confirmed that the > web file has > been > > changed at the time when people report the defaced web. > > > > In other words, only DNS poisoning should not be able to provide > the same > > result. So can you think of any other reason? Besides, I > think we have > also > > installed but disabled the IIS Frontpage extension. > > > > But, I would like to know whether the hacker can remove > particular > entries > > in IIS Log and Event Log? Can he/she remove entries of > particular time > zone? > > > > Thanks. > > > > Ricci > > > > -----Original Message----- > > From: Blurred Vision [mailto:blurred_visi0nat_private] > > Sent: Tuesday, September 11, 2001 1:49 PM > > To: FORENSICSat_private > > Cc: ricciat_private > > Subject: re: Special case in investigation > > > > > > Ricci, > > Could it have been a nameserver compromise? They may > > have modified the zone file, and replaced it. It > > would certainly explain the total lack of evidence... > > and also the 'round' number you reported the server > > was 'defaced' for. 15 minutes could well be the > > nameserver TTL etc... > > > > my thoughts anyway... > > > > BluRRed > > > > http://travel.yahoo.com.au - Yahoo! Travel > > - Got Itchy feet? Get inspired! > > > > ------------------------------------------------------------ ----- > > This list is provided by the SecurityFocus ARIS analyzer service. > > For more information on this free incident handling, management > > and tracking system please see: http://aris.securityfocus.com > > > > > > ------------------------------------------------------------ ----- > > This list is provided by the SecurityFocus ARIS analyzer service. > > For more information on this free incident handling, management > > and tracking system please see: http://aris.securityfocus.com > > > -- > Crie o seu email gratuito no mail.pt > http://www.mail.pt > > ------------------------------------------------------------ ----- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > > ------------------------------------------------------------ ----- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 08:11:18 PDT