Security Basics mailing list archives
Re: Windows Bot/Trojan/Backdoor scanner
From: Andrew Hecox <ahecox () uchicago edu>
Date: Sun, 14 Sep 2003 19:07:49 -0500 (CDT)
On Sun, 14 Sep 2003, Markus Rossi wrote:
<snip>
Thanks for the info so far- although I should have been more explicit initially. The machines in question have already been pulled for the network because they are exhibiting suspicious network activity as determined by a vulnerability scan or analysis of their outgoing traffic. For administratively controlled machines (depending on the administrating group) we have centrally controlled client-side firewalls, plus selective port blocking at the network gateway. The problem is that not every machines is capable of being centrally controlled (several thousand are not). So when something like lovsan/msblast hits the network, we might have a couple of hundred machines compromised in such as way that they may have a backdoor installed. Currently, our policy is to re-format these machines before they are allowed back on the network since we do not know what might be installed during the time-period where they were open to the world. However, if we could realistically minimize the possibility that any software was installed, simply cleaning the infection and patching any holes, would be preferable and a significant resource saver. The key seems to be finding the right tools or set of tools to make sure the system does not have an additional backdoor software installed, not necessary with 100% accuracy but with a very high percentage (say, 95% or better)? -cheers! Andrew --------------------------------------------------------------------------- Captus Networks Are you prepared for the next Sobig & Blaster? - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Precisely Define and Implement Network Security - Automatically Control P2P, IM and Spam Traffic FIND OUT NOW - FREE Vulnerability Assessment Toolkit http://www.captusnetworks.com/ads/42.htm ----------------------------------------------------------------------------
Current thread:
- Windows Bot/Trojan/Backdoor scanner Andrew Hecox (Sep 12)
- Re: Windows Bot/Trojan/Backdoor scanner Markus Rossi (Sep 15)
- Re: Windows Bot/Trojan/Backdoor scanner Andrew Hecox (Sep 15)
- <Possible follow-ups>
- Re: Windows Bot/Trojan/Backdoor scanner H Carvey (Sep 15)
- Re: Windows Bot/Trojan/Backdoor scanner Markus Rossi (Sep 15)