Re: possible rooted systems

[kyle <kyle () inetconnection com>]

Yes, but that doesn't show what the traffic consists of, and due to some of 
the software we run that have very dynamic port usage, it'll just let us know 
some computers are using said ports. Web site traffic on the other hand we 
can fully know without an issue, but for a root kit/trojan/malware/adware to 
show on the firewall, it would have to trigger border manager as a invalid or 
disallowed site, and if it tripped that then it wouldn't be bogging down our 
internet because it would be blocked already before it hit the T1. 
Its been determined we need a packet sniffer for the job that works on novell 
(we've tried alot already, and the only other option to get a packet sniffer 
in the line is to redo the gateways though a nix box we have set aside as a 
sniffer) though I'm ofcourse going to make a strong recommendation that we 
setup a permanate sniffer in the line for next year. 

Kyle
On Thursday 28 October 2004 12:34 pm, you wrote:
> Kyle,
>
> If you believe you have been compromised I say start investigating the
> issue. Check the firewall logs for outbound and inbound connections on non
> standard ports. Once you do that check standard ports. See if you see any
> irc ports in use. For the *ware issue (* being and form of the ware family)
> I suggest to start off small using a free product liek ad-aware and start
> from there. Unfortuantly in a school enviroment you will have that issue
> and most likely you can not switch browsers to a less vulnerable one.
>
> Either way check the logs on the firewall for abnormal usage (you should
> know your network the bess, to tell whats normal and abnormal).
>
> Quoting kyle <kyle () inetconnection com>:
> > I am a lan administrator at a small school system with a T1 line for the
> > internet. Lately I've noticed that the T1 line has been maxed, and a week
> > later, it still is maxed out. I strongly believe that a few systems have
> > been rooted (no viruses/trojans show up on scans) and need a novell based
> > packet sniffer to determine what is legitimate and illegitimate traffic.
> > Does anyone know of any good ones? We run many xp and 98 boxes with
> > multiple novell servers. I think some of the 98 boxes are the ones that
> > were rooted On using them I've noticed one common thing on every one of
> > them at that building. spyware beyond usage (current record 35000 entries
> > before adaware locked up). I know how I can just fix it, but I need some
> > sort of log so I can justify my means. ;)
> > Thanks
> > Kyle