Dear Windows Admins,

Recently, one of our Windows 2000 web servers appeared to be suffering an odd glitch. The sites hosted on the machine no longer allowed anonymous access. All sites required a password to view. The first thing we did was move the machine to a private LAN and restore the sites from tape to a newly formatted machine with all updates/patches applied.

Some background: this machine had a past infection of the Spida worm, which we assumed had been taken care of by our overpaid admin (now looking for work). I believe it also had Nimda at one point.

Apart from the Spida worm infection, what else can I look for? It's apparent that someone changed permissions to cause the web sites to be unavailable to anonymous viewing. I also saw that some accounts on the machine had been lcoked out, so either someone was trying to access the accounts and hit the limit (3 tries) or someone was in the machine and locked the accounts out so the valid users couldn't get in.

I'm not a Windows person, but am in the position of having to maintain these servers now (because the person we trusted to do it was apparently not capable). I need some guidance in finding some forensic tools I can use to determine how many vulnerabilities were exploited and by whom. On a linux machine, I'd know right where to go for logs and necessary toolkits. No clue in Windows!

My gut tells me the former admin was not involved in any of this, because he was hardly able to make a show of compentence as a Windows administrator. BTW, he has applied for unemployment, and I am charged with writing a report to show the state why he shouldn't be allowed unemployment benefits, based on his negligence here.

Thanks for any help!
Beth