Re: Determining Trojans, File & Print Sharing, Services running remotely on W2K

From: Eric (ewsat_private)
Date: Mon May 13 2002 - 12:22:34 PDT

Next message: Dustin Trammell: "RE: Arp spoofing & dsniff"

Previous message: Parth Galen: "bd - Win2k backdoor"
In reply to: Jason: "Determining Trojans, File & Print Sharing, Services running remotely on W2K"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I wrote a script that does most of this - it's very easy to customize to 
add additional checks:

(it doesn't check specifically for AV - but you could add a module on this, 
or review the running processes or services on the system, which is 
included in the output.)

http://online.securityfocus.com/data/tools/nt_audit_script12.zip

(thanks to Patrick Heim who wrote portions of this script)


At 11:03 PM 5/9/2002 +0000, Jason wrote:


>I will be performing a workstation audit on 300 W2k
>workstations across the network.
>
>I need to scan to see:
>1. If there are any trojans running on these hosts.
>2. Whether shares are activated on these hosts.
>3. Whether anti-virus is installed.
>
>I will have domain administrator rights and all
>workstations are in the windows NT 4.0 domain.
>
>What tools do people recommend for performing each of these
>steps? I will be scanning for workstations within a
>specific IP range.
>
>For Trojan Scanning I have seen tools like TFAK. But I am
>not sure how good it is and I know it can't be run on a
>block of IP's.
>
>For determining whether shares are activated maybe I could
>use something like Legion ?
>
>For determining whether anti-virus is installed I need a
>tool that can dump a list of services running on a remote
>host for a block of IP addresses.
>
>Any help appreciated.
>
>
>----------------------------------------------------------------------------
>This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
>Service. For more information on SecurityFocus' SIA service which
>automatically alerts you to the latest security vulnerabilities please see:
>https://alerts.securityfocus.com/


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Next message: Dustin Trammell: "RE: Arp spoofing & dsniff"
Previous message: Parth Galen: "bd - Win2k backdoor"
In reply to: Jason: "Determining Trojans, File & Print Sharing, Services running remotely on W2K"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon May 13 2002 - 13:23:08 PDT