hacking contest

hacking exploits security forum
hacking
compliance articles
upgrade backup exec
information security consultant
Help - Search - Member List - Calendar
GovernmentSecurity.org > The Archives > MS IIS Information
Jay
Jun 24 2003, 08:58 PM
A friend of mine was running a window's 2000 server with IIS enabled and was informed it was using too much bandwith and was beleived to be hacked. Has asked me to run a audit.Has been taken of line now.Don't know anything re IIS log files etc so any tips would help but here's what i came up with.Am i missing anything ??

FPORT
To map every open TCP and UDP port to a running executable.

2 Netstat -an to retrieve the conected IP addresses and opened port info. As it's off line not going to gain anything ??

3 Nbtstat -c Not much help as it's off line

4 PSLIST List processes on the machine.

5 Dir /a /t:a /o:d /s c:\ The a switch will list all files including hidden one's. The /t switch tells dir which time stamps you want to see. The /o:d switch tells the command you want it to be sorted by date.

6NTLAST Check's the logon and log off events and tells you when they where executed.

7 DUMPEL.
Retrieving the event log's

8 REGDMP which comes with NT/200 resource kit for dumping the registry into readable format.

This is going to be my first audit so will post later how i got on and the problem's i faced. blink.gif
w00dy
Jun 24 2003, 09:18 PM
It is also recommended to audit user accounts and always audit both Success and Failures of Account Management. This enables you to see if someone has created a account for themself, or tried to. Also audit logons. Looking for a success at an odd time, or a large amount of failures will show if someone is trying to connect that shouldnt be. A hack through IIS doesnt let you do too much that would increase bandwidth that much, until you are able to logon to the server. These are more efficient if done prior to getting hacked though.
dissolutions
Jun 25 2003, 12:54 AM
Netstat can be hacked...
GSecur
Jun 25 2003, 05:28 PM
Good start.... But my actual first place I would start is with the http logs. Default location.C:\winnt\LogFiles\W3SVC1

Now you could look through them manually but that would take forever. So load them up into webalizer which is free and does have a windows distro (I believe).

After the report has run you can view which IP address requested the most by KB. Here you can determine if there was an abnormal spike. Which would be a dead giveaway.

I'll think of some more in a bit. Keep me posted on progress and I'll give you some tips.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
 
Invision Power Board © 2001-2005 Invision Power Services, Inc.