Jared, > Does anyone know of any good tools that can be used > on an NT 4.0 box to > (help) diagnose a system compromise? I've been > playing around with inzider with limited results. Sure, there are a couple of things you can do. If you *suspect that the system is compromised, I would suggest that you run 'netstat -an', fport.exe (FoundStone), handle.exe (SysInternals), pslist.exe (SysInternals), and listdlls.exe (SysInternals) on the system. If you don't have physical access, but do have network access to the box, you can use psexec.exe to run the tools. Once this is done, and you've captured log files of each command by redirecting the output of those commands to files, go to http://patriot.net/~carvdawg/perl.html and get pd.zip, which is under Procdmp.pl. The archive contains a standalone executable that parses through the 5 log files you created and consolidates all of the information into an HTML file...an example of such output can be seen here: http://patriot.net/~carvdawg/pd.html This will help you identify errant processes. If you do find something suspicious, then check log files...IIS, FTP, EventLogs, etc. If you need any help or have any questions about anything I've said, drop me a line. Carv __________________________________________________ Do You Yahoo!? Yahoo! Health - Feel better, live better http://health.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Jul 22 2002 - 10:44:18 PDT