RE: break in?

From: Harlan Carvey (keydet89_at_yahoo.com)
Date: 11/15/05

  • Next message: Terry Browning: "Re: On the topic of Windows Hardening" 
    Date: Tue, 15 Nov 2005 03:10:53 -0800 (PST)
To: larobins@bellatlantic.net, 'Paul Greene' <techlists@comcast.net>, focus-ms@securityfocus.com

    Laura,

    > Okay, a few things first:
    >
    > 1. You say you saw lots of failed login attempts.
    > Did you see any successful ones?

    Good call.

    > 2. The printers that appeared on your DC are normal.
    > By default, the RDP
    > client will try to install the printers that are
    > installed on the client
    > machine into the terminal session, as well.

    Very interesting.
     
    > 3. Have you run netstat to see what's trying to
    > connect to the ftp and web
    > sites? I'd recommend netstat -b -v so you can see
    > the executables that
    > spawned the processes making the connections.

    I wasn't aware that the -b switch worked on Win2K...I
    thought that it was only XP that the switch worked on.
     I'll have to try that one at home later, on a Win2K
    VMWare session.

    The OP stated in his post, "I have a Win2K domain
    controller running on my home network..."

    Harlan

    ------------------------------------------
    Harlan Carvey, CISSP
    "Windows Forensics and Incident Recovery"
    http://www.windows-ir.com
    http://windowsir.blogspot.com
    ------------------------------------------

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

  • Next message: Terry Browning: "Re: On the topic of Windows Hardening"
    • Quantcast