RE: Windows NT intrusion

From: Marchee, E.N. (Erik.Marchee@bvh.nl)
Date: 01/30/02 

From: "Marchee, E.N." <Erik.Marchee@bvh.nl>
To: "'security-basics@securityfocus.com'" <security-basics@securityfocus.com>
Date: Wed, 30 Jan 2002 09:36:14 +0100

Check http://www.cert.org They have a section with best pratices if a
windows or UNIX system is compromised, they also have good info about to
prevent intrusions. Furthermore get some good books like "hacking exposed".

Erik Marchee
Operational System and Network Management
FloraHolland

BTW. You signed up to this list probably from securityfocus, this is also an
excellent site to get info.
 

-----Original Message-----
From: John Oliver [mailto:john.oliver@hosting.com]
Sent: Monday, 28 January, 2002 20:56
To: sdw2000@t-tape.com; security-basics@securityfocus.com
Subject: Windows NT intrusion

Last week, I had a clients' NT Server 4.0 machine show definite signs of
compromise... all sorts of odd ports listening, including some traceable
back to WinGate (which we never installed!), and some others that were
known as some IRC-related stuff. With a UNIXy OS, I have a pretty
decent idea of how to find out what happened, when, etc. and maybe even
clean up. But Windows? I took the easy route... on Saturday, I just
nuked the OS, installed W2K, patched, etc. But are there any sites that
have good documentation about post-mortems on Windows boxen? Or even a
class in the San Diego area?

Also, any thoughts on things I can do to make things easier on myself...
I've found some tools that can send the NT system logs to an off-host
syslogd. Are there any Tripwire-like tools for NT? Any such thing as
an immutable bit? 

-- 
John Oliver
System Administrator
hosting.com, an Allegiance Telecom company
mailto:john.oliver@hosting.com
(858) 637-3600
http://www.hosting.com/

Relevant Pages

  • CERT Advisory CA-2003-08 Increased Activity Targeting Windows Shares
    ... reports of systems running Windows 2000 and XP compromised due to ... poorly protected file shares. ... The network scanning associated with this activity is widespread but ... W32/Deloder attempts to compromise the Administrator ...
    (Cert)
  • Re: Mac X-Server Security Questions...
    ... Unix, Windows Background. ... bad and shouldnt really compromise the machine. ... he/she had to type in her password for a program to access system files. ... file sharing got enabled.... ...
    (Security-Basics)
  • Re: Ha Ha, told you so! [was Re: Mac OS X hacked under 30 minutes]
    ... Windows needs no help to be proven ... attention, but the second does, since it requires a person to sit down ... Then your actions were the cause of the compromise. ... I'm so confident in it that I put up a Windows server ...
    (comp.sys.mac.advocacy)
  • Re: Ha Ha, told you so! [was Re: Mac OS X hacked under 30 minutes]
    ... Josh McKee wrote: ... Windows needs no help to be proven ... attention, but the second does, since it requires a person to sit down ... Then your actions were the cause of the compromise. ...
    (comp.sys.mac.advocacy)
  • Re: what kind of memory
    ... Being a unix system, background jobs and prioritization are handled ... completely differently than in Windows, ... The shell also lacked some features which I wanted and the case-insensitive file system irritated me. ...
    (rec.crafts.metalworking)