Results 1 to 3 of 3

Thread: what am i looking for?

  1. #1

    what am i looking for?

    I have a suspicion that a particular workstation has been compromised and e-mails have been intercepted, it is w2k station. I have an ethereal dump form that station when it was sending an e-mail mut I'm not sure exactly waht to look for.......
    Any hints would be much appreciated.

  2. #2

    Re:what am i looking for?

    Why don't you turn on auditing. Audit things like logon access (success and failure), file access, privledge use, etc. This way you can at least tell if files are being touched, permissions mucked with, etc. If you use the box regurlarly, you'll also have to keep track of the things you do so you can discern your events from that of the intruder. Be prepared for hundreds of log file entries. Keep in mind that NT auditing can be a big pain in the ass and many times fruitless.

    I would also log all that box's traffic at an egress router or firewall, if you can.

    I had someone hack an IIS box of mine once, and auditing it was a nightmare. Nevertheless, what else can you do short of reinstall?

  3. #3

    Re:what am i looking for?

    I've done the firewall monitoring first thing, shows nothing unususal.
    I'm looking into the 'nightmarish' scenario when custom-written keylogger has been installed or program that simply BCCs every mail to other mail account....and to tell truth - I don;t know what to look for in the dump file in order to spot the keylogger activity, I have strange feeling that it simply won't show up.....


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts