Re: Sniffer on my network

[Eduardo Cruz <eduardo.cruz () TS-G COM>]

the fact that ur LANGUARD has detected that your workstation has a sniffer
is not correct at all, that program has detected the ethernet of that
workstation
is in promiscuous mode, a sniffer has to put the ethernet in that state yes,
but
many tools for detect scans and etc.. do that as well

good luck

----- Original Message -----
From: Computer Vegetable <CompuVeg () COLUMBUS RR COM>
To: <INCIDENTS () SECURITYFOCUS COM>
Sent: Wednesday, August 16, 2000 3:36 PM
Subject: Sniffer on my network


> At my office I've recently installed a network monitoring package called
> LanGuard.  One of the things this tool does is find network sniffers on
your
> network.  I didn't expect to see any, but as it turns out one of our
> workstations is showing up as a sniffer.
>
> I am unable to find any processes running on the machine with
unidentifiable
> sources.  I'm also unable to find any known Trojans or other viruses on
that
> machine.  The only odd thing that I have found is that anytime a network
> cable is plugged into the workstation in question, the address 13.10.15.10
> shows up IMMEDIATELY in the ARP.
>
> Has anyone seen anything like this?  ARIN says the address is owned by
Xerox
> PARC, who's admin says that IP is theirs, but not currently in use.
>
> Thanks