Results 1 to 8 of 8

Thread: Logs left after an attack

  1. #1
    Senior Member therenegade's Avatar
    Join Date
    Apr 2003
    Posts
    400

    Logs left after an attack

    What kind of logs are left after an intrusion's been made into your system,I know about firewall logs but I heard that if you're on windows it's possible to detect an intrusion by looking at the kernel32.dll file.Comments people?

  2. #2
    Junior Member
    Join Date
    May 2004
    Posts
    7
    Kernel32.dll?????

    I've never heard anything about that before... but as you stated, firewalls do leave logs....

  3. #3
    Sadly, windows leaves very few logs of it's activity. A firewall should keep logs, and if you are running a 3rd party server then it too should leave logs (as long as you enable that option).

    Thus, detecting an intrusion is a matter of firewall log checking, your server log checking, and looking at the system logs created by Windows. You can find those (weak) logs at start button > control panel > administrative tools > (forget the final option)

  4. #4
    Senior Member therenegade's Avatar
    Join Date
    Apr 2003
    Posts
    400
    well,I heard them mention logs in kernel32.dll in this convention I attended a while back
    And let me get this straight,if someone deletes my firewall logs and server logs,they're home free?lol,I prolly made it sound very easy huh?

  5. #5
    Umm aren't we forgeting about sniffers, File/sys auditing, I could think of a few more things.

    There is alot of useage for Kernel32.dll any number of API calls could be used to monitor certian things. I still don't see how just "by looking at the kernel32.dll file" will do much.

  6. #6
    Umm aren't we forgeting about sniffers, File/sys auditing, I could think of a few more things.
    No, thus why I said 3rd party software must also be included. However, we were leaning more towards the default capability of Windows. And as for file/sys auditing, it's so fscked up on timestamps that I wouldn't trust a Windows-file timestamp if my life depended on it. How? A propery view changes access times. A copy and paste removes origonal modified on date.

  7. #7
    Antionline Herpetologist
    Join Date
    Aug 2001
    Posts
    1,165
    You can find those (weak) logs at start button > control panel > administrative tools > (forget the final option)
    It's Event Viewer
    Buy the Snakes of India book, support research and education (sorry the website has been discontinued)
    My blog: http://biology000.blogspot.com

  8. #8
    Thanks cgk, memory was rusty on that part

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •