Community
- Command Central
- MVP Program
- Monthly Mission
- Blogs
- Groups
- Events
- Media Vault
Products
- Observability
- Network Management
- Application Management
- IT Security
- IT Service Management
- System Management
- Database Management
Content Exchange
- SolarWinds Platform
- Server & Application Monitor
- Database Performance Analyzer
- Server Configuration Monitor
- Network Performance Monitor
- Network Configuration Manager
- SQL Sentry
- Web Help Desk
Free Tools & Trials

Can I find evidence of Orion versions and hotfix installs inside the Orion database?

We decommissioned an Orion application server last month that was possibly running a vulnerable version of Orion (inc. SAM, NPM, NTA, etc.) and if it did, needs to be reviewed for indicators of compromise. I know longer have the application server itself and i doubt i can recover it from anywhere as it never really was put into full production. I still have the database server that the app server was connected to, and it still has all the data in it from the timeframe it was running.

Is it possible to query the Orion database and look for evidence of Orion versions we installed or were running at various times? Can i see what version of Orion Core services i had installed for the life of the server? Can i see when we installed various hotfixes? Does the database itself contain any indicators of compromise?

Thank you!

Find more posts tagged with

Accepted answers

All comments

danielleh

This might help: https://thwack.solarwinds.com/t5/The-Orion-Platform-Discussions/Determining-the-Version-and-Hotfix-Level-of-Orion-Platform/td-p/614154

@KMSigma.SWI might also be able to chime in should the above not cover your questions.

KMSigma.SWI

There are no IOCs indicated in the database directly. You could infer some information from the ConfigWizardLog table, but it's not authoritative. If you already deleted your application server, then you can't check for the compromised DLL - which is the only true IOC.