Check http://www.cert.org They have a section with best pratices if a windows or UNIX system is compromised, they also have good info about to prevent intrusions. Furthermore get some good books like "hacking exposed".
Erik Marchee Operational System and Network Management FloraHolland BTW. You signed up to this list probably from securityfocus, this is also an excellent site to get info. -----Original Message----- From: John Oliver [mailto:[EMAIL PROTECTED]] Sent: Monday, 28 January, 2002 20:56 To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Windows NT intrusion Last week, I had a clients' NT Server 4.0 machine show definite signs of compromise... all sorts of odd ports listening, including some traceable back to WinGate (which we never installed!), and some others that were known as some IRC-related stuff. With a UNIXy OS, I have a pretty decent idea of how to find out what happened, when, etc. and maybe even clean up. But Windows? I took the easy route... on Saturday, I just nuked the OS, installed W2K, patched, etc. But are there any sites that have good documentation about post-mortems on Windows boxen? Or even a class in the San Diego area? Also, any thoughts on things I can do to make things easier on myself... I've found some tools that can send the NT system logs to an off-host syslogd. Are there any Tripwire-like tools for NT? Any such thing as an immutable bit? -- John Oliver System Administrator hosting.com, an Allegiance Telecom company mailto:[EMAIL PROTECTED] (858) 637-3600 http://www.hosting.com/
