Re: QUOTE
Are any files changed / updated / connections logged
when remote desktop
( Windows ) is used to access a machine remotely?
For Terminal Services logins, in the security event log (assuming it is
logging!), WIN2K will log event 528, login type 2, followed by an event
592 for the program RDPCLIP, and then the standard userinit event 592,
and so on. RDPCLIP is the program that allows users to copy files
between the term serv connection and the user's desktop.
For WIN2003 & XP, event 528, login type 10 indicates a term serv session
login. Event 529 with login type 10 indicates failed attempts.
Re: QUOTE
Has anyone seen any tools that will identify, in an
image, files
associated with Trojans? ( EnScripts or other tools?
)
Look for the existence of file binaries compressed with UPX, Petite,
de-tar, superfast, LZO(p), UCL, etc... Binary files can be uploaded
without triggering A/V, because most A/V will not recognize the file
format.
You have to look inside the WIN32/PE headers to find them. Do a search
on internet for PEUtils. Gotta run...
r/Jim Butterworth,
Sr. Forensic Consultant
Guidance Software, Inc.
Note: The information contained in this message may be privileged and
confidential and thus protected from disclosure. If the reader of this message
is not the intended recipient, or an employee or agent responsible for
delivering this message to the intended recipient, you are hereby notified that
any dissemination, distribution or copying of this communication is strictly
prohibited. If you have received this communication in error, please notify us
immediately by replying to the message and deleting it from your computer.
Thank you.
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
