Đang chuẩn bị liên kết để tải về tài liệu:
Open Source Security Tools : Practical Guide to Security Applications part 39

Đang chuẩn bị nút TẢI XUỐNG, xin hãy chờ

Open Source Security Tools : Practical Guide to Security Applications part 39. Few frontline system administrators can afford to spend all day worrying about security. But in this age of widespread virus infections, worms, and digital attacks, no one can afford to neglect network defenses. Written with the harried IT manager in mind, Open Source Security Tools is a practical, hands-on introduction to open source security tools. | Howlett_CH11.fm Page 359 Friday June 25 2004 12 33 AM Forensic Analysis Tools 359 4072 WCESMgr - 999 TCP C Program Files Microsoft ActiveSync WCESMgr.exe 1032 svchost - 1025 TCP C WINDOWS System32 svchost.exe 1032 svchost - 1031 TCP C WINDOWS System32 svchost.exe 1032 svchost - 1034 TCP C WINDOWS System32 svchost.exe 4 System - 1042 TCP 4072 WCESMgr - 2406 TCP C Program Files Microsoft ActiveSync WCESMgr.exe 2384 websearch - 3008 TCP C Program Files websearch websearch.exe 1144 - 54321 TCP C Temp cmd.exe 4072 WCESMgr - 5678 TCP C Program Files Microsoft ActiveSync WCESMgr.exe 2384 websearch - 8755 TCP C Program Files websearch websearch.exe TÎl 136 javaw - 8765 TCP C WINDOWS System3 2 javaw.exe 1348 WCESCOMM - 123 UDP C Program Files Microsoft ActiveSync WCESCOMM.EXE 2384 websearch - 123 UDP C Program Files websearch websearch.exe 940 svchost - 135 UDP C WINDOWS system32 svchost.exe 1144 - 137 UDP 1032 svchost - 1026 UDP C WINDOWS System32 svchost.exe By looking at this listing you can see what appear to be normal services and programs running until about half way down where you can see that cmd.exe is running from the temp directory. This is the command prompt binary and it has no business being in a temp directory. Also the fact that the service has no name should arouse suspicion. Finally the incoming port number doesn t match any known services. In fact if you look it up in a database of known Trojan horses on the Internet www.simovits.com trojans Howlett_CH11.fm Page 360 Friday June 25 2004 12 33 AM 360 Table 11.1 Fport Sorting Options Chapter 11 Forensic Tools Options Descriptions -a Sorts the output by application name. -ap Sorts the output by application path. -i Sorts the output by Process ID PID . -p Sorts the output by port. trojans.html it matches the port number of a documented Trojan horse. There is strong evidence that this system has been exploited. At this point you have to decide if it is worth taking the system down to do further forensic .