OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Spencer, Ed M. -ND (Ed.M.Spencer.-NDdisney.com)
Date: Thu Jun 14 2001 - 14:56:11 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    I believe it's the last exercises in one of O'Reilly's Perl books (I think
    it's advanced Perl programming) does a scan of a system to determine what's
    changed since a baseline has been run. Or perhaps you could just use
    Sysdiff from the resource kit. Same thing can be done with LanGuard's File
    Integrity Checker (http://www.gfi.com). Of course there's always the
    commercial Tripwire option as well. Of course all of these require they be
    installed and a baseline be done BEFORE a compromise.

    If this isn't the case you're in for some work. Probably the easiest thing
    to do would be to build an identical system, sysdiff it, and then compare to
    the system you are questioning. Another option is to examine the user
    accounts, files (size, date, and properties) to insure they haven't been
    compromised. Or just start from scratch and apply one of the techniques
    from above.

    Good Luck!
    Ed Spencer
    MCSE/MCT/CNA/A+/Network+
    Security Analyst - IS Security
    Renaissance Worldwide, Inc. - Walt Disney World
     
    This communication is confidential, intended only for the named recipient(s)
    above and may contain trade secrets or other information that is exempt from
    disclosure under applicable law. Any use, dissemination, distribution or
    copying of this communication by anyone other than the named recipient(s) is
    strictly prohibited. If you have received this communication in error,
    please immediately notify us by calling (407) 566-5195. The ideas,
    opinions, and information expressed within the above email are the express
    sole opinion of the author and are not the opinion of the Walt Disney World
    Corporation. Thank you.

    -----Original Message-----
    From: tigerblue [mailto:tigerbluepuzzleapuma.de]
    Sent: Tuesday, June 12, 2001 8:54 AM
    To: FOCUS-MSsecurityfocus.com
    Subject: list of files

    Hi,

    does anybody know, if there ist a list of files I could use to check, to
    find out if an NT4-Server is compromised ? (or maybe another way to search
    for files on a server which shouldn´t be on it)

    best regards

    tigerblue
    MCSE
    Systemadministration