Highest Voted 'forensics' Questions - Server Fault Stack Exchange

2

votes

1 answer

Find the source of malware?

I have a server that was running an older version of lighttpd (1.4.19 on a freebsd 6.2-RELEASE (yea, old) machine) and google alerted me that it had found malware embedded on one of my server's pages. It just so happened to be our index page. I…

asked Jun 08 '10 at 00:02

jps

123
4

2

votes

3 answers

How to find out if my server is compromised?

I have a linux VPS and I received a complaint that my server was scanning on port 22 some other network. How do I find out if it was compromised or not?

linux security forensics

asked Mar 09 '10 at 21:08

Jene Hackman

1

vote

8 answers

Learn as much as possible about the setup behind a website

Let's say I'm in the process of planning the setup of a website. I study similar sites that offer similar services or might receive similar traffic model. Is there a way to determine a bit the kind of setup, software and/or hardware. Some things…

web-server forensics

asked Nov 24 '09 at 17:32

carrier

292
1
3
7

1

vote

1 answer

Finding email read times on exchange server

I'm trying to do a forensic analysis on an exchange server, and I'd like to determine what time a user read a particular email. Is there any way - perhaps with a tool like mfcmapi or another open source or commercial tool that can provide this…

email exchange forensics forensic-analysis

asked Jun 17 '15 at 23:27

Shmuel Levine

113
3

1

vote

2 answers

Malware : Identifying & Cleaning Malware on a LAMP site

EDIT : Further information / investigation information contained in the comments to this post Apologies for the vague title - had trouble summarising this one. I have recently discovered that one of my sites in serving out malware. As a result of…

mysql php web-server malware forensics

asked Mar 05 '13 at 17:06

MrEyes

313
4
14

1

vote

4 answers

Linux backdoors I should be wary of

I'm new to the server management realm and I'm sure my server is very insecure. I've gone through the WHM CPanel security check but I'm sure to the real gurus, that check is stupid and nowhere near what it needs to be. What are a few things I…

linux security forensics

asked Mar 09 '10 at 17:45

Ben

3,630
17
62
93

1

vote

1 answer

How to analyze cause of postfix server sending spam

A client of mine has a server hosting postfix as well as nginx with several websites, including an nginx installation with several subdomains / websites. Since a couple of days the /var/spool/postfix directory is filled with e-mails recognized as…

forensics spam postfix

asked Jan 18 '21 at 13:24

user1192748

111
3

0

votes

1 answer

Can I find username login log in Active directory server?

I join computer into active directory(AD) domian. User in AD can login to computer by using username, password in AD. Computer was install deep freeze so it can not keep anything after restart. I want to find username login log. I search in AD…

active-directory windows-server-2016 log-files forensics

asked Dec 18 '19 at 00:22

user572575

103
1

0

votes

1 answer

Examine contents of unused space on the HDD

When using managed dedicated services, either virtual or physical, where you're presented with complete control to an operating system installed on some piece of hardware you don't have physical access to, is there any good way to test whether the…

hard-drive hardware data-recovery forensics forensic-analysis

asked Jan 05 '19 at 03:59

cnst

12,948
7
51
75

0

votes

2 answers

Partition-table on one disk from RAID always equal to partition-table configured for RAID?

Are partition-tables from hard-drives, that are part of a RAID (no matter of what kind of RAID) always equal to the partition-table configured for the RAID? What is clear: A machine has a RAID 1 with four hard-drives. When I shutdown the machine and…

raid hard-drive forensics partition-table

asked Aug 12 '16 at 11:01

edi38

1

0

votes

1 answer

Extract list of installed drivers using a linux live disk

I have a quit old PC that was running Windows 2000 but the system crashed some days ago. Now I need to know which drivers have been installed on that specific pc but the system isn't booting anymore and the rescue and recovery options failed. Now I…

linux drivers windows-2000 live-cd forensics

asked Dec 18 '15 at 10:04

davidb

246
1
4
16

0

votes

2 answers

Forensics on tons of file changes

It has come to my attention that my CentOS 5.6 5.11 VPS has over 16,000 files with a timestamp during a 3-day period in September this year. I can't figure out why that is, as I did not log in via SSH during that time (nor were there any other…

linux centos vps timestamp forensics

asked Nov 14 '14 at 13:41

OsakaWebbie

183
1
11

0

votes

0 answers

Trace IP traffic to physical machine under Linux

In my firewall logs I recently see frequent connection attempts from a 10.0.0.0/8 network. This network is used by VirtualBox, but I can exclude that these packets come from those. No physical machine is intended to use this net. I guess that the…

firewall network-monitoring forensics

asked Nov 11 '14 at 12:48

Lars Hanke

281
2
15

0

votes

1 answer

Helpful linux command for do some forensic on compromised linux web server

What are helpful linux command for do some forensic on compromised linux web server for giving out sort of information/evidence/backtrace? for example checking log, checking last file edit, suspicious open port, and others usefull automatic command…

linux web-server security forensics

asked Apr 15 '14 at 12:36

Yuda Prawira

117
5

0

votes

2 answers

Suspicious Process*User:www-data EXE:/usr/sbin/php5-fpm

I have csf installed on Debian server which uses nginx+php5-fpm and see a lot of these lfd[23293]: Suspicious Process PID:16998 PPID:16122 User:www-data Uptime:824 secs EXE:/usr/sbin/php5-fpm CMD:php-fpm: pool www lfd[23293]: Suspicious Process…

logging forensics

asked Oct 17 '13 at 22:15

alfish

3,027
15
45
68

Questions tagged [forensics]