-
December 30th, 2009, 03:33 PM
#1
Examining a compromised server.
I'll be working on 31st it seems. I was on audit and found that while running a quick scan on a critical server there were lot of files that were being scanned (mostly with sys extension) but when I ran a search for the same files, I couldn’t find anything. I was sort of expecting that because file names are hide_evr2.sys which according to lot places is a rootkit. Now the nature of the server is "extremely critical". Seeing this server compromised to an extent that Symantec Endpoint can see the file but can't detect it (I am not sure if they have def's for it but in any case it's freaking out stuff).
I'm writing this at a point where I’m finding almost every server I examine with the same malware so I’ll come down to the question
What should be my next step in examining the server?
Please note that we don't have a "real" incident response team or plan. I know my next level of escalation and I will be doing that accordingly. My question simply is how I examine these server from here on. I will of course create a copy of the HDD and examine there so beyond that please let the suggestions flow.
I know this case is related to malware infection only but I’ve started it in Microsoft Security Discussions the reason being it’s a server running windows OS (2003) and this thread may server as a point of reference.
PS: Thanks a lot and HAPPY NEW YEAR IN ADVANCE.
Parth Maniar,
CISSP, CISM, CISA, SSCP
*Thank you GOD*
Greater the Difficulty, SWEETER the Victory.
Believe in yourself.
Similar Threads
-
By cheyenne1212 in forum Miscellaneous Security Discussions
Replies: 7
Last Post: February 1st, 2012, 02:51 PM
-
By Tiger Shark in forum The Security Tutorials Forum
Replies: 5
Last Post: March 4th, 2004, 05:00 PM
-
By NullDevice in forum The Security Tutorials Forum
Replies: 21
Last Post: December 17th, 2003, 10:03 PM
-
By -DaRK-RaiDeR- in forum Newbie Security Questions
Replies: 9
Last Post: December 14th, 2002, 08:38 PM
-
By Dome in forum Other Tutorials Forum
Replies: 11
Last Post: August 21st, 2002, 03:38 PM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|