Examining a compromised server.
Results 1 to 10 of 31

Thread: Examining a compromised server.

Threaded View

  1. #9
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,192
    Hi there ByTe,

    If Symantec is showing them up while scanning but they are not on the system I wonder what’s going on.
    That has got me thinking mate! ..................... looking at it from a reciprocal viewpoint: "What can Symantec see that I cannot, using conventional tools?"

    The ones that spring to mind are:

    1. RAM
    2. The page file

    I don't know about alternate data streams and "slack space" or "cluster tips"? If it can't detect something in the latter it isn't much good, I would have thought?

    I am not yet sure where I would go from here

    On my desktop machines I usually set the Registry value to have Windows overwrite the page file on shutdown. That isn't realistic with a server which is on 24/7

    At this point I would set the page file to minimum size. Because this is used by Windows for mini-dumps, I guess malware would not be able to access it.

    I would then run "Eraser" [link below] to wipe "free space" as this would get what what was in the former page file and it also wipes alternate data streams and cluster tips.

    That then leaves you with the question of how this is happening? It really has to be something that they are not scanning? Possibly:

    1. Portable storage media
    2. Portable devices
    3. Printer Servers
    4. Mail Servers.............sure the e-mails are scanned, but what about the server itself?
    5. "Orphan" clients (PCs in conference & training rooms, libraries, reception areas etc.) These are sometimes overlooked when nobody has direct responsibility for them?

    Good Luck!

    EDIT:

    http://eraser.heidi.ie/

    Works with Windows 98, ME, NT, 2000, XP, Vista, Windows Server 2003 and Server 2008. Eraser is Free software and its source code is released under GNU General Public License.
    EDIT 2:

    Sorry ByTe, you did title your post "examining" so here you go:

    http://www.jsware.net/jsware/sviewer.php5

    A tool for examining ADS and deleting nasty stuff. Sorry, but it only works with NT4.0, 2000, XP and 2003 Server.

    This one will work with Vista and Win 7, but you have to pay $11 for the commercial version that lets you delete stuff. I think it is called "ADS Scanner Engine".

    http://www.freesoftwaretoolbox.com/repository/

    Whilst you are on that site you might like to scroll down and get "Hidden File Scanner". It is the same deal as the one above...."Look for free, pay to touch"

    Hidden File Scanner also does a quick scan at start up to detect the appearance of autorun.inf files on all devices including removable medias. If such an autorun.inf file is found, a dialog box will pop up where you can either delete, unhide or inspect the content of the autorun.inf. This tool will automatically rate the autorun.inf files as normal, hidden, suspicious or dangerous file.
    I am sorry, but I don't know of a utility to examine cluster tips. I guess I would use a Hex Editor or Disk Investigator.

    http://www.theabsolute.net/sware/dskinv.html

    It works with 2000 and XP but I don't know about 2003 Server.
    Last edited by nihil; January 3rd, 2010 at 01:34 PM.
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

Similar Threads

  1. Windows Error Messages
    By cheyenne1212 in forum Miscellaneous Security Discussions
    Replies: 7
    Last Post: February 1st, 2012, 01:51 PM
  2. Central Secure Logging in a Win2k Environment
    By Tiger Shark in forum The Security Tutorials Forum
    Replies: 5
    Last Post: March 4th, 2004, 04:00 PM
  3. Understanding DoS
    By NullDevice in forum The Security Tutorials Forum
    Replies: 21
    Last Post: December 17th, 2003, 09:03 PM
  4. Newbies, list of many words definitions.
    By -DaRK-RaiDeR- in forum Newbie Security Questions
    Replies: 9
    Last Post: December 14th, 2002, 07:38 PM
  5. How To Set Up An IRC Server (IRCD) Tutorial
    By Dome in forum Other Tutorials Forum
    Replies: 11
    Last Post: August 21st, 2002, 03:38 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides