network security news, articles, tools, links...
Dropped here by your search engine? Use the same keyword in the google box below to search this site.
Start with the obvious: Are you actually hacked?
1. Look for recently modified or accessed files (Start | search; afind, hfind)
When an intruder copies files onto your computer, the file modified timestamp is changed. A skilled attacker may reset these stamps, but most won?t bother.
You may find some OS files as a result of hotfixes, but you will usually recognize files that don?t belong. They may be named the same as normal OS files, but will be in the wrong location. Look carefully, because these can be hidden in plain sight, i.e., c:\winnt\system32\EXPLORER.EXE. There are two things wrong here: the file is in system32, instead of \winnt where it belongs; and the file is in all caps, which it isn?t normally. In addition, these files will not be the same size as the legitimate files.
Tools:
? Built-in search function (Start | Search). Search for executables that were modified in the last week.
? Afind.exe: Foundstone tool that looks for files accessed within a specified timeframe
? Hfind.exe: Foundstone tool that finds hidden files (with the ?h attribute) and displays their last access times
2. Look for open ports that don?t belong (netstat ?an, fport, nmap)
This requires some knowledge of which ports should be open, but if you run these tools on a freshly built machine, you should have a good idea of what should and shouldn?t be open. Lists of common port assignments are readily available through Google, as well.
Even if you didn?t find recently modified files, finding odd ports listening is often a dead giveaway. Even better, you can match those ports to the program doing the listening to find out if they are legitimate or not. Note that backup agents tend to listen on suspiciously high ports. Basic Computer Intrusion Detection and Forensics Checklist
| Basic Windows Intrusion Detection and Forensics |
1. Look for recently modified or accessed files (Start | search; afind, hfind)
When an intruder copies files onto your computer, the file modified timestamp is changed. A skilled attacker may reset these stamps, but most won?t bother.
You may find some OS files as a result of hotfixes, but you will usually recognize files that don?t belong. They may be named the same as normal OS files, but will be in the wrong location. Look carefully, because these can be hidden in plain sight, i.e., c:\winnt\system32\EXPLORER.EXE. There are two things wrong here: the file is in system32, instead of \winnt where it belongs; and the file is in all caps, which it isn?t normally. In addition, these files will not be the same size as the legitimate files.
Tools:
? Built-in search function (Start | Search). Search for executables that were modified in the last week.
? Afind.exe: Foundstone tool that looks for files accessed within a specified timeframe
? Hfind.exe: Foundstone tool that finds hidden files (with the ?h attribute) and displays their last access times
2. Look for open ports that don?t belong (netstat ?an, fport, nmap)
This requires some knowledge of which ports should be open, but if you run these tools on a freshly built machine, you should have a good idea of what should and shouldn?t be open. Lists of common port assignments are readily available through Google, as well.
Even if you didn?t find recently modified files, finding odd ports listening is often a dead giveaway. Even better, you can match those ports to the program doing the listening to find out if they are legitimate or not. Note that backup agents tend to listen on suspiciously high ports. Basic Computer Intrusion Detection and Forensics Checklist
More News
- NetWitness releases free version of security software
- Three Reasons Why Users Won’t Buy Into Security
- Automated security testing & its limitations
- How to Use Network Behavior Analysis Tools
- The insider security threat in IT and financial services
- Top 10 Network Security Threats
- Big leap in malicious Web sites
- Network security makes a quantum leap
- Microsoft Preps 11 Security Bulletins for Patch Tuesday
- Practical Defense in Depth
- Apple releases another mega-patch for Mac OS X
- Security flaw in smart cards poses risk for transit, building access
- Free TrojanProof Password Tool Released for Windows
- Security scans with OpenVAS
- Do ISPs pose a bigger online privacy threat than Google
- HTTPS Cookie-Hijacking Tool CookieMonster Gobbles Personal Data
- Anatomy of a botnet
- Microsoft patches 8 critical bugs in Windows, Office
- Virtualization users should expect more attacks
- Threat From DNS Bug Is not Over, Experts Say
You are browsing the old version of "The Network Security. Org", Please
click here to visit the
new version.
Categories
Web Security
Basic Security
Network Tools
Archived Articles
Wireless Security
Networking Basics
Disaster Recovery
Enterprise Security
Intrusion Detection
More Archived Articles
Exploits & Vulnerabilities
Viruses & other Malware
Basic Security
Network Tools
Archived Articles
Wireless Security
Networking Basics
Disaster Recovery
Enterprise Security
Intrusion Detection
More Archived Articles
Exploits & Vulnerabilities
Viruses & other Malware
Warning: main(ad_network_213.php) [function.main]: failed to open stream: No such file or directory in /home/thenetw/public_html/news/View.php on line 282
Warning: main(ad_network_213.php) [function.main]: failed to open stream: No such file or directory in /home/thenetw/public_html/news/View.php on line 282
Warning: main(ad_network_213.php) [function.main]: failed to open stream: No such file or directory in /home/thenetw/public_html/news/View.php on line 282
Warning: main() [function.include]: Failed opening 'ad_network_213.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php:../:../../:../../../:../../../../') in /home/thenetw/public_html/news/View.php on line 282