More ideas from Data
Few other windows thoughts:
Look in the c:\windows\prefetch folder sometimes malware has a place it runs from, creates a copy of itself somewhere else, runs that, then deletes the copy. Doesn’t always clean up prefetch though J
Alternate data streams are good for hiding things. Dir /r will show you the ADS of a file (or folder, or whole directory tree)
Echo hello > junk.txt
Dir junk.txt
Echo hidden text > junk.txt:myADS
Type junk.txt
Type junk.txt:myADS
More < junk.txt:myADS
Dir /r junk.txt
Sysinternals has a strings.exe (so you don’t need linux on your windows box)
A few other linux thoughts:
/etc/init.d/ contains scripts that determine what order to load startup files (good place to hide if you’re malware)
Rc is the file that kicks everything off. Look for when it was last modified (ls lrat)
Find is a useful command to locate files that were created/modified/accessed about the same time as another file of interest.
Find /etc mtime +100 mtime -105 | xargs ls l //lists files +at least 100 days old and no more than 105 days old
Gfind can also help (if available) it’s like find with more options
/var/log/ has a lot of potentially good stuff for you. Find stuff modified recently or zero’d out to find interesting things. Zero’d out means someone cared enough to wipe the log.
Look at scheduled activities in /etc/crontab (and check /etc/cron.* for other activities that might be… different than normal)
Check /root/.bash_history to see what root has been up to (or /home/*/.bash_history for everyone else)