Forums: Auditing Window's 2000 - Forums

Jump to content

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

Auditing Window's 2000 Procedure

#1 Guest_Jay_*

  • Group: Guests

Posted 24 June 2003 - 12:58 PM

A friend of mine was running a window's 2000 server with IIS enabled and was informed it was using too much bandwith and was beleived to be hacked. Has asked me to run a audit.Has been taken of line now.Don't know anything re IIS log files etc so any tips would help but here's what i came up with.Am i missing anything ??

FPORT
To map every open TCP and UDP port to a running executable.

2 Netstat -an to retrieve the conected IP addresses and opened port info. As it's off line not going to gain anything ??

3 Nbtstat -c Not much help as it's off line

4 PSLIST List processes on the machine.

5 Dir /a /t:a /o:d /s c:\ The a switch will list all files including hidden one's. The /t switch tells dir which time stamps you want to see. The /o:d switch tells the command you want it to be sorted by date.

6NTLAST Check's the logon and log off events and tells you when they where executed.

7 DUMPEL.
Retrieving the event log's

8 REGDMP which comes with NT/200 resource kit for dumping the registry into readable format.

This is going to be my first audit so will post later how i got on and the problem's i faced. :blink:
0

#2 User is offline   Jeremy 

  • Commander in Chief
  • Icon
  • Group: Admin
  • Posts: 2,345
  • Joined: 14-May 03

Posted 24 June 2003 - 01:18 PM

It is also recommended to audit user accounts and always audit both Success and Failures of Account Management. This enables you to see if someone has created a account for themself, or tried to. Also audit logons. Looking for a success at an odd time, or a large amount of failures will show if someone is trying to connect that shouldnt be. A hack through IIS doesnt let you do too much that would increase bandwidth that much, until you are able to logon to the server. These are more efficient if done prior to getting hacked though.
Your time is limited, so don't waste it living someone else's life. Don't be trapped by dogma � which is living with the results of other people's thinking. Don't let the noise of others' opinions drown out your own inner voice. And most important, have the courage to follow your heart and intuition. They somehow already know what you truly want to become. Everything else is secondary.
~Steve Jobs
Jeremy aka w00dy aka foadah
0

#3 User is offline   Travis 

  • Specialist
  • Icon
  • Group: Specialist
  • Posts: 2,101
  • Joined: 26-February 03

Posted 24 June 2003 - 04:54 PM

Netstat can be hacked...
0

#4 User is offline   Blake 

  • Former Commander In Chief
  • Icon
  • Group: Retired General
  • Posts: 7,317
  • Joined: 24-September 02

Posted 25 June 2003 - 09:28 AM

Good start.... But my actual first place I would start is with the http logs. Default location.C:\winnt\LogFiles\W3SVC1

Now you could look through them manually but that would take forever. So load them up into webalizer which is free and does have a windows distro (I believe).

After the report has run you can view which IP address requested the most by KB. Here you can determine if there was an abnormal spike. Which would be a dead giveaway.

I'll think of some more in a bit. Keep me posted on progress and I'll give you some tips.
Posted Image Subscribe To Our RSS Feed For the Latest News from GovernmentSecurity.org
Would you like to earn money posting on GSO?
0
Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users

  • Share



Our Sponsors:


SwiftLayer Affiliate Web Hosting