-
May 21st, 2004, 07:46 AM
#1
Logs left after an attack
What kind of logs are left after an intrusion's been made into your system,I know about firewall logs but I heard that if you're on windows it's possible to detect an intrusion by looking at the kernel32.dll file.Comments people?
-
May 21st, 2004, 08:22 AM
#2
Junior Member
Kernel32.dll?????
I've never heard anything about that before... but as you stated, firewalls do leave logs....
-
May 21st, 2004, 08:39 AM
#3
Sadly, windows leaves very few logs of it's activity. A firewall should keep logs, and if you are running a 3rd party server then it too should leave logs (as long as you enable that option).
Thus, detecting an intrusion is a matter of firewall log checking, your server log checking, and looking at the system logs created by Windows. You can find those (weak) logs at start button > control panel > administrative tools > (forget the final option)
-
May 21st, 2004, 08:55 AM
#4
well,I heard them mention logs in kernel32.dll in this convention I attended a while back
And let me get this straight,if someone deletes my firewall logs and server logs,they're home free?lol,I prolly made it sound very easy huh?
-
May 21st, 2004, 09:32 AM
#5
Umm aren't we forgeting about sniffers, File/sys auditing, I could think of a few more things.
There is alot of useage for Kernel32.dll any number of API calls could be used to monitor certian things. I still don't see how just "by looking at the kernel32.dll file" will do much.
-
May 21st, 2004, 10:46 AM
#6
Umm aren't we forgeting about sniffers, File/sys auditing, I could think of a few more things.
No, thus why I said 3rd party software must also be included. However, we were leaning more towards the default capability of Windows. And as for file/sys auditing, it's so fscked up on timestamps that I wouldn't trust a Windows-file timestamp if my life depended on it. How? A propery view changes access times. A copy and paste removes origonal modified on date.
-
May 21st, 2004, 01:37 PM
#7
You can find those (weak) logs at start button > control panel > administrative tools > (forget the final option)
It's Event Viewer
-
May 21st, 2004, 01:39 PM
#8
Thanks cgk, memory was rusty on that part
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|