Security Basics mailing list archives
Re: possible rooted systems
From: kyle <kyle () inetconnection com>
Date: Thu, 28 Oct 2004 13:58:25 -0500
Yes, but that doesn't show what the traffic consists of, and due to some of the software we run that have very dynamic port usage, it'll just let us know some computers are using said ports. Web site traffic on the other hand we can fully know without an issue, but for a root kit/trojan/malware/adware to show on the firewall, it would have to trigger border manager as a invalid or disallowed site, and if it tripped that then it wouldn't be bogging down our internet because it would be blocked already before it hit the T1. Its been determined we need a packet sniffer for the job that works on novell (we've tried alot already, and the only other option to get a packet sniffer in the line is to redo the gateways though a nix box we have set aside as a sniffer) though I'm ofcourse going to make a strong recommendation that we setup a permanate sniffer in the line for next year. Kyle On Thursday 28 October 2004 12:34 pm, you wrote:
Kyle, If you believe you have been compromised I say start investigating the issue. Check the firewall logs for outbound and inbound connections on non standard ports. Once you do that check standard ports. See if you see any irc ports in use. For the *ware issue (* being and form of the ware family) I suggest to start off small using a free product liek ad-aware and start from there. Unfortuantly in a school enviroment you will have that issue and most likely you can not switch browsers to a less vulnerable one. Either way check the logs on the firewall for abnormal usage (you should know your network the bess, to tell whats normal and abnormal). Quoting kyle <kyle () inetconnection com>:I am a lan administrator at a small school system with a T1 line for the internet. Lately I've noticed that the T1 line has been maxed, and a week later, it still is maxed out. I strongly believe that a few systems have been rooted (no viruses/trojans show up on scans) and need a novell based packet sniffer to determine what is legitimate and illegitimate traffic. Does anyone know of any good ones? We run many xp and 98 boxes with multiple novell servers. I think some of the 98 boxes are the ones that were rooted On using them I've noticed one common thing on every one of them at that building. spyware beyond usage (current record 35000 entries before adaware locked up). I know how I can just fix it, but I need some sort of log so I can justify my means. ;) Thanks Kyle
Current thread:
- possible rooted systems kyle (Oct 28)
- Re: possible rooted systems Mike (Oct 28)
- Re: possible rooted system xyberpix (Oct 28)
- Re: possible rooted systems Adam Jones (Oct 28)
- Re: possible rooted systems mike (Oct 28)
- Re: possible rooted systems kyle (Oct 28)
- RE: possible rooted systems AndrewC (Oct 28)
- RE: possible rooted systems David Gillett (Oct 28)
- <Possible follow-ups>
- RE: possible rooted systems Beauford, Jason (Oct 28)
- Re: possible rooted systems Mailing Lists (Oct 28)
- Re: possible rooted systems Mike (Oct 28)