RE: break in?
From: dave kleiman (dave_at_isecureu.com)
Date: 11/16/05
- Previous message: Nick Wells: "RE: ISA Server or Firewall Appliance?"
- In reply to: Harlan Carvey: "RE: break in?"
- Next in thread: Barrie Dempster: "Re: break in?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <focus-ms@securityfocus.com> Date: Tue, 15 Nov 2005 18:45:48 -0500
Paul,
I have a script set just for investigating intrusions on a MSFT OS network.
It begins with an excessive failed login script and goes from there.
Look it over here:
http://www.infragard.net/library/congress_05/computer_forensics/index.htm
If you think the toolbox will help you , let me know and I will send it to
you, or anyone that would like a copy. Or, you can just cut and paste the
scripts from the PDF, and use them manually.
If you find any of the above useful, you should definitely take a look at
the Microsoft Log Parser Toolkit:
http://www.syngress.com/catalog/?pid=3110
Regards,
Dave
-----Original Message-----
From: Harlan Carvey [mailto:keydet89@yahoo.com]
Sent: Tuesday, November 15, 2005 06:11
To: larobins@bellatlantic.net; 'Paul Greene';
focus-ms@securityfocus.com
Subject: RE: break in?
Laura,
> Okay, a few things first:
>
> 1. You say you saw lots of failed login attempts.
> Did you see any successful ones?
Good call.
> 2. The printers that appeared on your DC are normal.
> By default, the RDP
> client will try to install the printers that are
installed on the
> client machine into the terminal session, as well.
Very interesting.
> 3. Have you run netstat to see what's trying to connect
to the ftp and
> web sites? I'd recommend netstat -b -v so you can see
the executables
> that spawned the processes making the connections.
I wasn't aware that the -b switch worked on Win2K...I
thought that it was only XP that the switch worked on.
I'll have to try that one at home later, on a Win2K
VMWare session.
The OP stated in his post, "I have a Win2K domain
controller running on my home network..."
Harlan
------------------------------------------
Harlan Carvey, CISSP
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com
------------------------------------------
-----------------------------------------------------------
----------------
-----------------------------------------------------------
----------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: Nick Wells: "RE: ISA Server or Firewall Appliance?"
- In reply to: Harlan Carvey: "RE: break in?"
- Next in thread: Barrie Dempster: "Re: break in?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
