Howdy malware fighters,

In light of Incident Handling, I thought it would be good to start with Step 0 and that is Detection. Before you ever begin your incident handling process, you have to know you are compromised. Sometimes it’s readily apparent and sometimes it isn’t.
Go here and check the ten signs: http://isc.sans.org/diary.html?storyid=5095
Starting with 0 and what you learn at this forum site is, learn how to detect malware on your box or an attempt to compromise your box. And now the other ten signs:

1. Your logging server hasn’t logged any events or you haven’t received alerts in the last 12 hours
2. Your FTP server/user hard drives etc. are suddenly out of disk space or maybe logs increase in size more than your normal variation
3. Your competition’s products looks just like yours, but have a prettier color scheme
4. Your customers start receiving spam on email addresses they used only to sign up for your service
5. You get machine acts “funny” report from users (i.e. windows closing by themselves, browser homepage changed, etc.)
6. Someone needs help connecting to the company’s wireless access point, you don’t have a wireless access point
7. Complaints that software (payment processing software, web browser, etc) keeps crashing
8. Complaints from user(s) that passwords/logins aren’t working
9. Computer systems running unusually slow
10. Visitors to your website complain that they get redirected to another site or one that just doesn’t “look” right

If you have other indicators that you have encountered in the past that have clued you in to a compromise, please let Polonus know and he’ll update this Sans Internet Storm Center’s list,

pol

I thought it would be good to start with Step 0 and that is Detection

Totally wrong!!! Thirst step is to gain knowledge. Especially about the OS a person is using and the hardware. Setup security properly and you (in theory) do not have to scan/try to detect anything.