Re: How to Maintain an IIS Server?

From: Stephen Pak (asiats@hotmail.com)
Date: 11/06/02 

From: "Stephen Pak" <asiats@hotmail.com>
Date: Wed, 6 Nov 2002 11:40:12 -0800

Thanks!

"Karl Levinson [x y] mvp" <levinson_k@excite.com> wrote in message
news:ekVtPuchCHA.4128@tkmsftngp08...
> You can run HFNETCHK with a switch to run it in verbose mode. This will
> give you knowledge base article numbers to look up at
> www.microsoft.com/support to tell you more information. Some of those are
> known issues and will always alert for you. Other alarms could indicate
> that a certain .DLL or other file is older or newer than it should be.
>
> For more information, check out those newsgroups mentioned below:
>
> Microsoft.public.security.hfnetchk
> [for Microsoft HFNETCHK tool]
>
> Microsoft.public.security.baseline_analyzer
> [for MS MBSA Baseline Security Analyzer ]
>
>
>
> "Stephen Pak" <asiats@hotmail.com> wrote in message
> news:OTBh0kchCHA.1960@tkmsftngp11...
> > Thank you to Ken and Karl.
> >
> > Your infos are very useful!
> >
> > I have another question regarding MBSA or HFNETCHK.
> >
> > When I run those two programs, sometimes it reports that I did not apply
> > certain patches (e.g. MS02-008, MS02-022, MS02-053). However, I do
> believe
> > I apply the patches. Even if I re-apply those "missing" patches, the I
> run
> > the MBSA or NFNETCHK again.....It still says that the patches are
> missing...
> >
> > Do you happen to know why? If it is not the right newsgroup, could you
> > please tell me where should I post the above question?
> >
> > Thank you again!
> >
> > Stephen
> >
> >
> > "Karl Levinson [x y] mvp" <levinson_k@excite.com> wrote in message
> > news:OQjZRhUhCHA.1688@tkmsftngp09...
> > >
> > > "Stephen Pak" <asiats@hotmail.com> wrote in message
> > > news:eI2#BvThCHA.2700@tkmsftngp09...
> > > > I looked at the Microsoft Security Website.
> > > >
> > > > I understand that there are a lot of information available there.
> > > >
> > > > Actually, I am particular interested in how to prevent worms (e.g.
> > > > Nimda/Code Red/anything else). What anti-virus program is the best
> for
> > > IIS
> > > > server running on a Windows 2000 server.
> > >
> > > Depends. I like Norton. Get a firewall or two as well, and close all
> > ports
> > > incoming and outgoing except for those that are needed.
> > >
> > > > Also, what is the best procedures to restore the IIS server once it
is
> > > > hacked by someone. Or, I should ask what is the best way to backup
> the
> > > > server. Any software or product is good for backup/restore
> > (automatically
> > > > backup) the entire site or even the computer.
> > >
> > > You got it... once your web server has been hacked, you should
consider
> > > formatting and reinstalling Windows and all programs, then restoring
> data
> > > from backups.
> > >
> > > Since you asked, more info is below:
> > >
> > > =============
> > >
> > > How can I harden my computer or server to secure it from hackers?
> > >
> > > A: [Note that if you have already been hacked, this section will not
> help
> > > you re-secure your computer. In this case, you should first read the
> > > section in this FAQ entitled "How can I re-secure my computer or
server
> > > after being hacked?"]
> > >
> > > Here is the short answer:
> > >
> > > 1) Do not put the computer onto the network or the Internet until
after
> > the
> > > computer has been hardened using the instructions below [or at least
not
> > > before a firewall and antivirus have been installed].
> > > 2) Use firewall software and hardware and antivirus software that is
> > > configured to download updates every day;
> > > 3) Follow the instructions for hardening Windows and IIS at
> > > www.microsoft.com/technet/security ;
> > > 4) Install all service packs and security fixes from Microsoft and
> > > otherwise for all Microsoft software on your computer [Windows, IIS,
> > Office,
> > > Internet Explorer, Windows Media Player, etc.] from
> > > www.microsoft.com/technet/security ;
> > > 5) [Ongoing] Download MBSA from www.microsoft.com/download and run it
> now
> > > and also at regular intervals to look for vulnerabilities in your
> > settings,
> > > new patches that are missing, etc. Also, check your antivirus to
> confirm
> > > that the last successful update was less than 14 days ago.
> > >
> > > These steps will make your computer fairly secure, but may still leave
> > some
> > > holes. Keep reading below for additional information you should be
> aware
> > > of:
> > >
> > > A successful hacker, virus or worm intrusion into one of your
computers
> > can
> > > drain your free disk space, slow down your Internet connection,
> compromise
> > > your credit card numbers, damage your personal documents, allow
> intruders
> > to
> > > access other machines on your network that DO contain important files,
> > > and/or leave you legally liable for other government or business
> computers
> > > on the Internet that are hacked by an intruder using your computer.
> This
> > is
> > > why you should consider securing ALL the computer systems in your home
> or
> > > network, even if you think there is nothing important on the computer
or
> > it
> > > is "just a test computer."
> > >
> > > All Windows users should seriously consider all of the procedures
below
> to
> > > help prevent intrusions on their computers:
> > >
> > > 1) Do not put the computer onto the network or the Internet until
after
> > the
> > > computer has been hardened using the instructions below. [Un-secured
> > > computers can be hacked in just 15 minutes or less after being put
onto
> > the
> > > Internet.] Depending on your environment, it may be acceptable to put
> > your
> > > computer on the Internet after installing a firewall and antivirus
> > software
> > > with the latest updates.
> > >
> > > 2) Seriously consider enabling or installing firewall software and/or
> > > firewall hardware. There are a number of free firewalls available,
> > > including the ICF feature that comes with Windows XP [unless XP is
> joined
> > to
> > > a Windows domain], and/or other third-party firewalls available on the
> > > Internet.
> > >
> > > For more information on how and where to locate free and not-free
> firewall
> > > software and hardware, see the section in this FAQ entitled "Which
> > firewall
> > > should I choose? Which firewall is the best?"
> > >
> > > 3) Seriously consider installing an antivirus program and configure
it
> to
> > > automatically download updates daily.
> > >
> > > For more information on where and how to locate and use free and
> not-free
> > > antivirus software, see the section in this FAQ entitled "Which
> antivirus
> > > should I choose? Which antivirus is the best?"
> > >
> > > 4) Follow the instructions for hardening Windows 2000 and also IIS
[if
> > IIS
> > > is installed] at www.microsoft.com/technet/security
> > >
> > > [Note that for Windows 2000 / NT, hardening IIS should include
> installing
> > > IISlockdown including URLScan. For computers with FTP service
> installed,
> > it
> > > should include removing the Posix subsystem and removing write
> permission
> > > from the anonymous user account, among other things. Information on
> > > removing the Posix subsystem is available at:
> > > www.microsoft.com/technet/security/tools/chklist/CheckList.htm#4
> > > www.labmice.net/articles/securingwin2000.htm]
> > >
> > > 5) Download and install all the service packs and security patches
from
> > > www.microsoft.com/technet/security for all the Microsoft and
> non-Microsoft
> > > software installed on your computer, especially Microsoft Windows,
> Office,
> > > Internet Explorer, Outlook Express, Windows Media Player and IIS [if
IIS
> > is
> > > installed].
> > >
> > > Note that Windows 2000, XP, .NET and NT users should also download
> patches
> > > for Indexing Services a.k.a. Index Server. Do not assume that Index
> > Server
> > > patches are included with any IIS comprehensive service pack rollup
you
> > may
> > > already have installed, because they are not.
> > >
> > > [If you want a shortcut to do this faster, you could try this:
> > > * Download and install the latest Windows service pack from
> > > www.microsoft.com/technet/security;
> > > * Reboot and visit http://windowsupdate.microsoft.com to receive
> > additional
> > > patches;
> > > * Reboot, download and run MBSA [Microsoft Baseline Security Analyzer]
> or
> > > HFNETCHK from www.microsoft.com/download to discover other missing
> > patches;
> > > * Manually download from www.microsoft.com/technet/security and
install
> > any
> > > patches that were found to be missing, as well as patches for any
server
> > > products that may not be included in Windows Update and MBSA/HFNETCHK,
> > such
> > > as possibly SQL Server, ISA Server, etc.
> > > * NOTE however that Windows Update, MBSA and HFNETCHK do NOT
necessarily
> > > list all Microsoft patches or search all Microsoft products, so you
> could
> > be
> > > missing some patches if you rely just on these tools.]
> > >
> > > 6) [ONGOING] Re-run the MBSA tool from www.microsoft.com/download
every
> > 60
> > > days or sooner to look for missing patches, and confirm that your
> > antivirus
> > > program received an update in the past 10 days or less.
> > >
> > >
> > > If you want or need even more security [or are particularly paranoid
or
> at
> > > risk], you can consider some of the additional steps below. Some of
the
> > > tools below may be more security than you need, unless you are running
a
> > > server such as IIS web or FTP services.
> > >
> > > * Download and install MyNetWatchman or Dshield. These are free
> programs
> > > that work with your firewall software or hardware to automatically
> report
> > > hacking attempts to the hacker's ISP. You get to see information
about
> > > whether that IP address has been used to scan or hack other computers,
> or
> > > whether it might be targeting just your computer. You also get to see
> > > whether the ISP has responded or taken action against the offending
> user.
> > > This is highly recommended. You can get this software at one of the
> links
> > > below:
> > >
> > > www.mynetwatchman.com
> > > www.dshield.org
> > >
> > > * Sign up for the Microsoft security mailing list at
> > > www.microsoft.com/technet/security to receive emails with a link to
new
> > > critical security patches as they are released, and install them ASAP.
> > >
> > > * Use Vision [or Fport] from www.foundstone.com/knowledge or Active
> Ports
> > > from www.webattack.com/get/activeports.shtml or pslist / pstools from
> > > www.sysinternals.com to look at the open ports on your computer and
the
> > > program or executable using that port. Some firewall software such as
> > > www.sygate.com will also tell you this information.
> > >
> > > You can also use the NETSTAT -A command that comes with Windows to
look
> > at
> > > open ports; however, this will not identify which program is using the
> > port.
> > >
> > > [You may want to run a command such as FPORT >> C:\OPENPORTS.TXT or
> > > PSLIST >> C:\OPENPORTS.TXT or NETSTAT -A >> C:\OPENPORTS.TXT
> > > This command will create a "baseline" text file named c:\openports.txt
> > that
> > > can be compared later with the results of the command to tell you
> whether
> > > additional ports are now open, a possible sign of intrusion.]
> > >
> > > * Consider running one or more vulnerability scanners to look for
> security
> > > flaws and configuration errors on your computers. Vulnerability
> scanners
> > > should be run after you have installed and hardened a new computer or
> > > server, and also run at regular intervals to confirm that your
computers
> > are
> > > still secure. You might also run a port scanner against your
computers
> as
> > > well to look for open ports.
> > >
> > > See the section in this FAQ entitled "How can I scan my computer or
> > firewall
> > > to look for open ports or confirm that my machine is secure?" for more
> > > information.
> > >
> > > * Consider searching for and following additional checklists for
> hardening
> > > Windows 2000 by searching an Internet search engine such as
> www.google.com
> > > for words such as "harden OR hardening windows-2000" [e.g.
> > > www.google.com/search?q=harden+OR+hardening+windows-2000 ]. Several
> such
> > > checklists are available at:
> > >
> > > http://nsa1.www.conxion.com/win2k/download.htm a.k.a.
> http://www.nsa.gov
> > > www.labmice.net/articles/securingwin2000.htm
> > > www.labmice.net/security
> > > http://csrc.nist.gov/itsec/guidance_W2Kpro.html
> > > http://csrc.nist.gov/publications/nistpubs/800-44/sp800-44.pdf
> > > http://rr.sans.org
> > >
> > > * Uninstall any unnecessary Windows components [e.g. click on Start,
> > > Settings, Control Panel, Add/Remove Programs, Add/Remove Windows
> > > Components]. Pay particular attention to Indexing Service, Internet
> > > Information Services (IIS), Management and Monitoring Tools, Message
> > Queuing
> > > Services, Networking Services, Other Networking File and Print
Services,
> > > Outlook Express, and Windows Media Player. If you are not sure
whether
> > > something is unnecessary, try searching www.google.com or posting a
> > question
> > > to the appropriate Microsoft security newsgroup.
> > >
> > > * Disable any unnecessary Windows services [e.g. click on Start,
> Settings,
> > > Control Panel, Administrative Tools, Services]. If you are not sure
> > whether
> > > something is unnecessary, try searching www.google.com or posting a
> > question
> > > to the appropriate Microsoft security newsgroup.
> > >
> > > * Consider using a Trojan scanner. Antivirus programs generally
detect
> > some
> > > but not all of the most common Trojans and hacker tools. Some people
> > choose
> > > to use a Trojan scanner in addition to antivirus.
> > >
> > > For more information on where and how to locate and use free and
> not-free
> > > Trojan scanner software, see the section in this FAQ entitled "Which
> > > antivirus should I choose? Which antivirus is the best?"
> > >
> > > * Enable logging. Most logging is disabled by default, and usually
this
> > is
> > > not discovered until after an intrusion, when the logs are needed.
> > >
> > > Enable logging of your IIS web server, FTP server, etc. For sites
with
> a
> > > small number of hits, consider changing logs to rotate monthly instead
> of
> > > daily to allow easier searching of logs.
> > >
> > > Enable logging on your Internet router, switch or firewall. [Because
> > these
> > > devices usually do not have much storage space for saving logs, doing
> this
> > > may involve installing free syslog software onto your computer to be
> able
> > to
> > > capture the logs.]
> > >
> > > Enable auditing of security events on your Windows system, including
> logon
> > > successes and/or failures and NTFS auditing of files and registry
keys.
> > For
> > > more information, see the section in this FAQ entitled "How can I
enable
> > > auditing / logging on my computer / server?"
> > >
> > > Change the Windows event log settings to be appropriate for your
> > > environment. Consider increasing the maximum log size to retain more
> > > information. Be careful not to log too much, or you might find that
> your
> > > logs contain only a few minutes or hours worth of data.
> > >
> > > Check the logs to be sure logs are really being captured.
> > >
> > > * Consider using a file change checker, such as the unsupported free
> tool
> > > Languard File Integrity Checker at
www.gfi.com/languard/lantools-fic.htm
> > > Files changing on your system can sometimes indicate a hacker
intrusion.
> > >
> > > * Consider using a Windows event log monitor. Some types of
intrusions
> > > leave entries in one of the logs on your computer. [On an especially
> > > vulnerable or secure system, you should be sure that you've configured
> > > logging to detect events such as intrusions.] Some network monitors
> such
> > as
> > > www.ipsentry.com can send a message to your email/screen/pager if a
> server
> > > or service stops responding, an event or error appears in a Windows
log,
> > > etc. Windows log monitors can be found by searching an Internet
search
> > > engine or your favorite software web site, or by using the links
below:
> > >
> > > www.ipsentry.com [around $100 US]
> > > www.sunbelt-software.com
> > > www.webattack.com
> > > www.wilders.org
> > > www.download.com
> > > www.tucows.com
> > > www.google.com/search?q=windows+event+log-monitor
> > >
> > > * Consider using EFS file encryption [under Windows 2000 / XP / .NET]
or
> > > third-party utilities to encrypt the files on your computer may be
> > something
> > > to consider. Some of these utilities can encrypt your entire hard
drive
> > > including Windows, whereas other tools just encrypt some of your data
> > files
> > > and are not suitable for encrypting or preventing access to Windows.
> > >
> > > Note that using any form of encryption can slow down your computer's
> > > performance. Also, you must be extremely careful to back up and
protect
> > > your encryption key and any passwords. If the encryption keys are not
> > > backed up, users can lose their encrypted files forever when Windows
is
> > > reinstalled, Windows encounters a problem so that Windows no longer
> starts
> > > up, etc.
> > >
> > > For more information on EFS file encryption on Windows 2000 / XP /
.NET,
> > see
> > > the section in this FAQ entitled "I used Windows 2000 / XP EFS file
> > > encryption to encrypt some files. Now, I can't read the files. How
can
> I
> > > unencrypt them or recover the key?"
> > >
> > > Third party encryption software can be found at the following
locations:
> > >
> > > www.pgp.com
> > > www.scramdisk.clara.net
> > > www.e4m.net
> > > www.jetico.com ["BestCrypt"]
> > > www.download.com
> > > www.tucows.com
> > > www.google.com
> > >
> > >
> > > ________________________________________________________
> > >
> > > Which firewall should I choose? Which firewall is the best?
> > >
> > > (6.2) What are some ways for me to enable Intrusion Detection or IDS?
> > >
> > > (6.3) How can I enable or configure the Windows XP ICF Internet
> > Connection
> > > Firewall?
> > >
> > > (6.4) How can I enable or configure TCP/IP Filters or IPsec policies
to
> > > protect my computer, filter, block, encrypt or tunnel traffic?
> > >
> > > A: The answer to this question varies depending on your computer
> systems,
> > > your security requirements and your personal preferences. Below are
> some
> > > firewalls and other forms of firewall-like packet filtering:
> > >
> > > NO MATTER WHICH FIREWALL YOU CHOOSE...
> > > No matter which firewall you choose, you should seriously consider
> > > downloading and installing MyNetWatchman or Dshield. These are free
> > > programs that work with your firewall software or hardware to
> > automatically
> > > report hacking attempts to the hacker's ISP. You get to see
information
> > > about whether that IP address has been used to scan or hack other
> > computers,
> > > or whether it might be targeting just your computer. You also get to
> see
> > > whether the ISP has responded or taken action against the offending
> user.
> > > You can get this software at one of the links below:
> > >
> > > www.mynetwatchman.com
> > > www.dshield.org
> > >
> > > Also, no matter which firewall you choose, the lists below of port
> numbers
> > > for common software services may be helpful when configuring your
> firewall
> > > or when trying to monitor the firewall logs for signs of intrusion:
> > >
> > > http://support.microsoft.com/default.aspx?scid=kb;en-us;Q289241
[common
> > > ports on Windows 2000]
> > > http://www.iana.org/assignments/port-numbers
> > > http://www.iisfaq.com/default.asp?View=P106
> > >
> > >
> > > FIREWALL SOFTWARE:
> > > www.sygate.com [free for non-commercial use, also works like a
> > sniffer]
> > > www.kerio.com [free for non-commercial use]
> > > www.agnitum.com [free for non-commercial use]
> > > www.zonealarm.com [free for non-commercial use, also blocks pop-ups]
> > > www.iss.net [Black Ice]
> > > www.symantec.com [Norton]
> > > www.webattack.com
> > > www.download.com
> > > www.tucows.com
> > > [Windows XP users can also consider using the ICF firewall that comes
> with
> > > XP, more info below]
> > >
> > > FIREWALL DEVICES [HOME / SOHO]:
> > > www.linksys.com [starts around $70 US]
> > > www.netgear.com [starts around $70 US]
> > > http://search.ebay.com/search/search.dll?query=firewall [prices on
new
> > and
> > > used firewalls]
> > >
> > > FIREWALL DEVICES [PROFESSIONAL / ENTERPRISE]:
> > > www.netscreen.com
> > > www.netgear.com
> > > www.intrusion.com
> > > www.cisco.com
> > > www.nortelnetworks.com/products/family/contivity.html
> > > www.nokia.com/securitysolutions
> > > www.microsoft.com/isa
> > > http://search.ebay.com/search/search.dll?query=firewall [prices on
new
> > and
> > > used firewalls]
> > >
> > > LINUX / BSD FIREWALLS:
> > > http://www.ipcop.org [install to hard drive, friendly
GUI]
> > > http://www.smoothwall.org [install to hard drive, friendly GUI]
> > > http://www.devil-linux.org [boot CD firewall]
> > > http://gibraltar.at [boot CD firewall]
> > > http://www.sentryfirewall.com [boot CD firewall]
> > > http://www.thinman.com/eLSD [boot CD firewall]
> > > http://www.closedbsd.org [boot floppy firewall]
> > > http://thewall.sf.net [boot floppy firewall]
> > >
> > > INTRUSION DETECTION:
> > > http://www.snort.org [free, has a version for Windows]
> > > http://www.trinux.org [free, runs from a boot floppy disk
or
> > CD]
> > > http://www.iss.net
> > >
> > > Linux / BSD firewalls can be run on an old spare 486 PC to protect
your
> > > network, and the software is often free of charge. Some of the
> firewalls
> > > above are supposedly intended to be easy enough for small offices and
> home
> > > users with no previous Linux experience to use. Linux firewalls are
one
> > > inexpensive way to be able to add advanced firewall features that may
be
> > > very expensive to add to commercial firewalls. [Features such as
> > bandwidth
> > > usage reporting, QoS bandwidth limiting, intrusion detection, alerts
in
> > > real-time to your email or pager, a third network interface to create
a
> > DMZ,
> > > identical spare backup firewalls for fault tolerance and scalability,
> etc.
> > > are generally free.] Unlike some commercial firewalls, 24x7 on-site
> > > technical support for Linux / BSD firewalls can be purchased from a
> number
> > > of companies in most cities.
> > >
> > > Intrusion detection is software or hardware that generally monitors
the
> > data
> > > transmissions on your network in order to add better alerting,
analysis
> > and
> > > detection of intrusions [without necessarily blocking those
intrusions].
> > > Note that with most IDS systems, you must tune the default rules and
> > > settings, or else you will receive too many false alarms.
> > >
> > > Linux firewalls and intrusion detection are not likely to be the best
> way
> > to
> > > protect just one home computer or laptop [unless you are an expert
> > computer
> > > user or computer hobbyist]. These tools are probably more useful to
> > network
> > > administrators.
> > >
> > >
> > > ICF - WINDOWS XP INTERNET CONNECTION FIREWALL -
> > > If you are using a Windows XP computer at home and do not log into a
> > Windows
> > > domain, you can enable the free ICF - Internet Connection Firewall -
> that
> > > comes with Windows XP. The ICF firewall is generally well respected
and
> > > secure for home users.
> > >
> > > You can enable or configure ICF either by clicking on Start, Settings,
> > > Control Panel, double-click Networking and Internet Connections, click
> > > Network Connections, right-click the connection on which you would
like
> to
> > > enable ICF, and then click Properties, Advanced and select "Protect my
> > > computer or network."
> > >
> > > See the articles below for more information:
> > >
> > > How to enable or disable ICF -
> > > http://support.microsoft.com/default.aspx?scid=kb;en-us;Q283673
> > > More information on ICF and how to configure ICF -
> > > http://support.microsoft.com/default.aspx?scid=kb;en-us;Q320855
> > > http://support.microsoft.com/default.aspx?scid=kb;en-us;Q298804
> > > http://support.microsoft.com/default.aspx?scid=kb;en-us;Q308127
> > >
> > >
> > > =============
> > >
> > > How can I tell if I've been hacked?
> > >
> > > A: This can be a complicated procedure and usually requires both
prior
> > > experience with forensic investigations and knowledge of what the
> computer
> > > looked like [which files existed, which ports were open, etc.] or what
a
> > > similar computer looks like before being compromised.
> > >
> > > Also, the procedures you follow may vary depending on your security
> needs.
> > > For example, performing some of the procedures below may modify the
> files
> > on
> > > your computer so that it is not admissible as evidence in court.
Other
> > > procedures below could alert a hacker to the fact that you are looking
> for
> > > her, causing her to delete evidence or retaliate against you in some
> way.
> > >
> > > If this is a business computer, your company should seriously consider
> > > hiring a security consultant or contacting the appropriate local law
> > > enforcement agency, both for the initial forensic response and also to
> > > improve your security to avoid future intrusions.
> > >
> > > Keep in mind during the investigation that this might NOT be a hacker
> > > intrusion and might instead be regular network activity or a worm.
> Books
> > > such as Incident Response, Hacker's Challenge and/or Hacking Exposed
3rd
> > > Edition may offer you more information on how to investigate
intrusions.
> > >
> > > You may consider performing the actions below:
> > >
> > > 1) Unplugging the network cable is one possible way to try to prevent
> > > further damage.
> > >
> > > 2) Use Vision [or Fport] from www.foundstone.com/knowledge or Active
> > Ports
> > > from www.webattack.com/get/activeports.shtml or pslist / pstools from
> > > www.sysinternals.com to look at the open ports on your computer and
the
> > > program or executable using that port. Some firewall software such as
> > > www.sygate.com will also tell you this information.
> > >
> > > You can also use the NETSTAT -A command that comes with Windows to
look
> at
> > > open ports; however, this will not identify which program is using the
> > port.
> > >
> > > If you're unsure about the purpose of a particular port or program,
try
> > > searching an Internet search engine such as www.google.com for the
name
> of
> > > the port or program, or try right-clicking on the file in question to
> see
> > > the properties. Or, you could even try to telnet to that port e.g. by
> > > typing TELNET LOCALHOST PORTNUMBER or TELNET COMPUTERNAME PORTNUMBER
> > > [example, TELNET LOCALHOST 82 ] and press the Enter key a few times
to
> > see
> > > if any informative messages appear.
> > >
> > > 3) Consider using a file change checker, such as the unsupported free
> > tool
> > > Languard File Integrity Checker at
> www.gfi.com/languard/lantools-fic.htm.
> > > Recently changed files on your system can sometimes indicate an
> intrusion.
> > > You could also find and list the files on your hard drives that have
> been
> > > modified in the past 3 days by clicking on Start, Search [or Find],
> Files
> > or
> > > Folders, and setting the appropriate date [though note that this may
> > change
> > > the "Last Accessed" date stamp on some of these files]. "The Forensic
> > > Toolkit" from www.foundstone.com/knowledge includes command-line tools
> to
> > > list files without modifying the date.
> > >
> > > 4) Inspect the programs that launch when Windows starts on your
> computer,
> > > by using MSCONFIG or Startup Cop. Suspicious programs starting when
> > Windows
> > > starts can indicate a successful intrusion. [These can also indicate
> less
> > > serious events such as a virus or worm infection or even the
> installation
> > of
> > > a freeware or ad-ware program such as an MP3 music file-sharing
> program.]
> > > See the section in this FAQ entitled "I think there may be a
suspicious
> > > program, Trojan, ad-ware, "porn dialer," etc. starting up on my
computer
> > > when Windows starts" for more information on how to do this.
> > >
> > > 5) Check the logs on your computer, especially your Internet router
or
> > > firewall logs, the IIS web and ftp server logs and Windows security
> event
> > > log. [This is probably the first thing to do if IIS web services are
> > > running on the computer.] Some of these logs may not exist if you have
> not
> > > already enabled them.
> > >
> > > Many common hacks are first seen in the IIS web server logs. Any line
> in
> > > your web server log that contains % or .EXE and which also contains a
> 200
> > > or 502 error code is cause for further investigation. If you are
> familiar
> > > with DOS commands, you may be able to see exactly what commands the
> > intruder
> > > tried to execute. Keep in mind that every web server on the Internet
> will
> > > have suspicious looking entries from worms like Nimda, though these
are
> > not
> > > necessarily signs of a successful intrusion.
> > >
> > > For more information on deciphering web server logs, see the section
in
> > this
> > > FAQ entitled "I keep seeing strange things in my IIS web server logs,
> like
> > > 'NNNNNNNNN' or 'GET /scripts/root.exe' Have I been hacked?"
> > >
> > > 6) Consider using a Trojan scanner. Antivirus programs generally
> detect
> > > some but not all of the most common Trojans and hacker tools. Some
> people
> > > choose to use a Trojan scanner in addition to antivirus.
> > >
> > > For more information on where and how to locate and use free and
> not-free
> > > Trojan scanner software, see the section in this FAQ entitled "Which
> > > antivirus should I choose? Which antivirus is the best?"
> > >
> > > 7) Consider installing an antivirus program that is configured to
> > > automatically download updates daily.
> > >
> > > For more information on where and how to locate and use free and
> not-free
> > > antivirus software, see the section in this FAQ entitled "Which
> antivirus
> > > should I choose? Which antivirus is the best?"
> > >
> > > 8) Consider running a port scanner [and/or a vulnerability scanner]
to
> > look
> > > for security flaws and configuration errors on your computers. For
> > example,
> > > you might also run a port scanner against your computers to look for
> open
> > > ports. A particular open port might indicate the way a hack occurred
> > and/or
> > > might give you a way to identify other infected computers. Begin with
> > > Vision, Fport and/or SuperScan from www.foundstone.com/knowledge, MBSA
> > from
> > > www.microsoft.com/download and/or Languard Network Scanner from
> > www.gfi.com
> > >
> > > See the section in this FAQ entitled "How can I scan my computer or
> > firewall
> > > to look for open ports or confirm that my machine is secure?" for more
> > > information.
> > >
> > > 9) Consider enabling or installing a firewall and/or a sniffer
[either
> > > software or hardware based] to monitor and look for unusual network
> > traffic.
> > > There are a number of free firewalls available on the Internet which
can
> > > show network transmissions to and from your computer, such as
> > > www.sygate.com, or you could use the Network Monitor which comes with
> > > Windows 2000 / XP / NT / .NET, or Ethereal at www.ethereal.com, or
> Windump
> > > at http://windump.polito.it
> > >
> > > For more information on how and where to locate free and not-free
> firewall
> > > software and hardware, see the section in this FAQ entitled "Which
> > firewall
> > > should I choose? Which firewall is the best?"
> > >
> > > 10) The third party web sites and tools below may also be helpful:
> > >
> > > www.sysinternals.com
> > >
> > > For example, some of the helpful free tools on this site include
> Filemon,
> > > Regmon and Process Explorer which all display activity on your
computer
> > you
> > > might not otherwise be able to see. These tools show which files,
> > registry
> > > keys, .DLLs and other objects are currently being accessed and by
which
> > > process.
> > >
> > > Pstools is a group of tools including pslist, which lists detailed
> > > information about processes, and psloggedon, which displays who is
> logged
> > > onto your computer currently.
> > >
> > > www.foundstone.com/knowledge
> > >
> > > In addition to the Vision / Fport tools, one of the free tools on this
> > site
> > > is NTLast, a security event log analysis tool that helps identify who
> has
> > > gained access to the system, using the NT security event logs
[assuming
> > > auditing has previously been turned on].
> > >
> > > Also, the Forensic Toolkit is a collection of tools including:
> > > * Afind, which lists recently accessed files without changing the date
> > stamp
> > > on the file;
> > > * Hfind, which scans the disk for hidden files;
> > > * Sfind, which scans the disk for files hidden in data streams.
> > >
> > > www.incident-response.org/IRCR.htm
> > >
> > > Incident Response Collection Report (IRCR) is a collection of forensic
> > tools
> > > that automates many of the tasks a forensics expert might perform.
> > >
> > > If you have trouble understanding the results of any of these tools,
you
> > can
> > > post your results along with your question to an appropriate Usenet
> > > newsgroup. Note that the Microsoft newsgroups may not be the place to
> get
> > > the best answers to your questions, though you can try and see what
> > happens.
> > >
> > > [Thanks to Susan Bradley, Rob Lee and others]
> > >
> > >
> > > ________________________________________________________
> > >
> > > (7.2) How can I re-secure my computer or server after being hacked?
> > >
> > > A: If your computer or server has been compromised, it is highly
> > > recommended that you follow this procedure to secure your computer:
> > >
> > > 1) Hire someone with security experience to investigate your computer
> and
> > > confirm that it has been hacked, learn how it was hacked, collect
> > evidence,
> > > confirm that your other computers have not been hacked, etc.;
> > > 2) Back up your data files;
> > > 3) Format the hard drives;
> > > 4) Reinstall Windows and all other software onto the computer;
> > > 5) Do not put the computer back on the network or the Internet until
> the
> > > previous steps are completed [since un-secured computers on the
Internet
> > can
> > > be hacked within 15 minutes].
> > > 6) Follow the further instructions for securing your computer by
> reading
> > > the section in this FAQ entitled "How can I harden my computer or
server
> > to
> > > secure it from hackers?"
> > >
> > > This procedure [formatting and reinstalling] is recommended because it
> is
> > > difficult to be certain that you have found and removed all changes
the
> > > intruder made to your computer. If the hacker added a login ID,
changed
> a
> > > password, installed remote control software, etc. onto your computer,
> the
> > > hacker or other hackers could easily get back into your computer.
> > >
> > > If you wish, you can take the chance and just try your best to remove
> > > everything you can find, but then you may still be at risk.
> Instructions
> > > for how to manually re-secure your system without formatting and
> > > reinstalling everything can be complex and are beyond the scope of
this
> > FAQ.
> > > However, some general tips are given in the section in this FAQ
entitled
> > > "How can I tell if I've been hacked?"
> > >
> > > BEFORE you format and reinstall Windows, it may be a good idea to have
> > > someone investigate the computer to look for clues as to how the
> computer
> > > was compromised and by whom. This information can help you to:
> > >
> > > 1) Confirm that you really were hacked, possibly saving you from
> > needlessly
> > > formatting and reinstalling Windows on your computer;
> > > 2) Find other machines on your network that were also hacked;
> > > 3) Learn what mistakes were made that allowed the computer to be
> > > compromised and avoid making those mistakes in the future.
> > >
> > > Instructions for how to determine whether or not you've been hacked
are
> > > complex and are beyond the scope of this FAQ. However, some general
> tips
> > > are given in the section in this FAQ entitled "How can I tell if I've
> been
> > > hacked?"
> > >
> > > Note that unless you are already experienced in forensics, any actions
> you
> > > take on your computer will probably reduce your ability to use your
> > computer
> > > as evidence in a court of law, and could provoke the hacker into
> > retaliating
> > > against you in some way. [On the other hand, your chances of being
able
> > to
> > > find and prosecute the hacker are slim, unless you are a business, or
a
> > > government entity, or can prove substantial financial loss as a result
> of
> > > the hacking. If you fall into one of these categories, you should
> contact
> > a
> > > local law enforcement agency, such as the local FBI office in your
city
> if
> > > you are in the U.S.]
> > >
> > >
> > > ________________________________________________________
> > >
> > > Which port scanner or vulnerability should I use? Which scanner is
the
> > > best?
> > >
> > > (8.3) How can I scan my computer or firewall to look for 'open ports'
> or
> > > confirm that my machine is secure?"
> > >
> > > A: Computers on the Internet use IP addresses and port numbers while
> > > exchanging communications to make sure the communications get to the
> right
> > > software program on the right computer. Just as a single cable
carries
> > > multiple distinct cable TV channels using different channel numbers
> > [channel
> > > 2, channel 3, etc.] to your TV at the same time, the Internet carries
> > > multiple different messages to and from your computer using different
> port
> >
> > > numbers [TCP port 80, UDP port 53, etc] to distinguish one message
from
> > > another and also to distinguish which software on your computer should
> > > receive the message.
> > >
> > > An "open port" on your computer generally means that a piece of
software
> > on
> > > your computer is "listening" and accepting messages from other
> computers.
> > > If that software on your computer has a vulnerability or is missing a
> > > security patch, someone could use that open port and the vulnerability
> > > within it to control of your computer.
> > >
> > > There are a number of web sites that help you do a port scan to look
for
> > > some common open ports on your computer. Some of these sites include:
> > >
> > > http://scan.sygatetech.com - longer, more thorough
> > > https://grc.com/x/ne.dll?bh0bkyd2 - brief, scans just key ports
> > > http://www.blackcode.com/scan
> > > http://security2.norton.com
> > > http://www.auditmypc.com
> > > http://www.sdesign.com/securitytest
> > > http://www.doshelp.com/dostest.htm
> > >
> > > Note that few or none of the scans above scan every single possible
port
> > on
> > > your machine. There are 65,535 possible TCP ports and 65,535 possible
> UDP
> > > ports on your machine. FYI, most of the scans above do simple port
> scans
> > > looking for open ports on your computer, which is probably good enough
> for
> > > security purposes, but is not exactly the same type of scan a hacker
may
> > > use.
> > >
> > > If your machine is on a network and you wish to have more control over
> the
> > > scan, you may want to download port-scanning software such as Nmap
from
> > > www.eeye.com, SuperScan from www.foundstone.com/knowledge, etc.
> > >
> > > VULNERABILITY ASSESSMENT SCANNERS
> > > Besides simple port scanners, you may also want to run a vulnerability
> > > assessment scan against your computer, especially if you are in a
> > corporate
> > > environment. Some limited vulnerability assessment scanners that run
on
> > > Windows are listed below. [If you have a computer running operating
> > systems
> > > other than Windows, you may be able to find additional vulnerability
> > > scanners to audit your Windows computers.]
> > >
> > > [Free]
> > > www.microsoft.com/download - MBSA Microsoft Baseline Security Advisor
> > > [MBSA finds critical missing patches and vulnerabilities for some
common
> > > Microsoft products]
> > > www.microsoft.com/download - HFNETCHK
> > > www.gfi.com - Languard Network Security Scanner
> > > www.nextgenss.com - CIS Cerberus Internet Scanner
> > > www.trinux.org - free, runs Linux, nmap, etc. from a single boot
> > floppy
> > > disk or CD
> > > http://community.whitehatsec.com/index.pl?section=wharsenal - White
Hat
> > > Arsenal for IIS web server applications
> > > http://sourceforge.net/projects/whisker - Whisker, Perl-based web
server
> > > assessment
> > > http://csrc.nist.gov/publications/drafts/security-testing.pdf
> > >
> > > [Not Free]
> > > Commercial vulnerability assessment scanners may be found by searching
> an
> > > Internet search engine such as www.google.com
> > >
> > >
> > > ________________________________________________________
> > >
> > >
> > >
> > >
> >
> >
>
>