Have a Windows machine? Think it might be compromised? How does one figure out whether your machine might be the new North American spam hub or IRC Bot recruit? While practices may vary, CERT/CC and AUSCERT provide a thorough checklist for investigating a Windows based system for signs of intruders.
The biggest takeaway from this checklist is that proper incident preparation is the key to successful and timely recovery. The single best way to safely, accurately, and quickly determine if a machine has been compromised relies on the system administrator configuring the machine properly for detection in advance of the compromise. For if an exploit is launched and no logging is enabled, is a buffer actually overrun?
No philosophical debate here, the answer is yes... you just don't know about it. Oh, and for all you *NIX and Mac heads grinning right now, the same holds true for you too.
Posted by Addam Schroll on February 27, 2007, in Handlers Log.