Security Basics mailing list archives
Re: network worm
From: "Brandon Glaze" <bglaze () northstar k12 ak us>
Date: Fri, 10 Dec 2004 08:35:06 -0900
I am not sure if you have been answered yet, but when my network was hit with the same FBOT worm (as Kaspersky called it) I implemented honeyd as a quick linux script which uses Doug Songs ArpD to arp poison your switch and give you the ability to have one machine answer on behalf of an entire subnet. The quick config files that come with honeyd are usually enough to emulate several key types of vulnerable machines. Just tail -f the /var/log/honeyd file and any connections to this box are invalid. I also implemented the no ip unreachables on all of my Cisco switches so that the routers were not bogged down trying to answer on behalf of all the infected clients request for non existant network pings. Hope that helps...
On Thu, 9 Dec 2004 09:13:30 +0530 "Harshul Nayak" <harshul.nayak () patni com> wrote:
Hello luis, running an IDS and monitoring it's logs should be a useful deployment , if you still feel the threat of malicious traffic on your network. I would even suggest having a look into latest snort-inline ;) u can do a lot more than mere monitoring. -regs Harshul -----Original Message----- From: l c [mailto:neo_italy02 () yahoo it] Sent: Thursday, December 09, 2004 3:55 AM To: security-basics () securityfocus com Subject: network worm Hi all, in the past days our network was stressed from a lot of network worm (not find from local antivirus, already up to date) with a stop of the traffic caused from a lots of arp request. The last one was the WORM_SDBOT.ACJ a worm that propagates itself using network shares and a worm that trend micro (up to date) was unable to find, causing the saturation of the network switches and the related stop of all the work. The question is: "is there the possibility to setup an instrument (even linux based) to sniff the network traffic with capabilities to find worm?". We have already a linux based tool for network monitoring, this tool is useful to isolate host with a lots of ARP request (typical of the worm), but this tool can't point us to which worm is doing the traffic. Thanks a lot Luis ___________________________________ Nuovo Yahoo! Messenger: E' molto più divertente: Audibles, Avatar, Webcam, Giochi, Rubrica Scaricalo ora! http://it.messenger.yahoo.it http://www.patni.com World-Wide Partnerships. World-Class Solutions. _____________________________________________________________________ This e-mail message may contain proprietary, confidential or legally privileged information for the sole use of the person or entity to whom this message was originally addressed. Any review, e-transmission dissemination or other use of or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you have received this e-mail in error kindly delete this e-mail from your records. If it appears that this mail has been forwarded to you without proper authority, please notifyus immediately at netadmin () patni com and delete this mail. _____________________________________________________________________
Current thread:
- network worm l c (Dec 08)
- RE: network worm Shawn Wall (Dec 09)
- RE: network worm Harshul Nayak (Dec 09)
- Re: network worm Brandon Glaze (Dec 10)
- Re: network worm Mario Pascucci (Dec 09)
- Re: network worm xyberpix (Dec 09)
- Re: network worm Kirk Schafer (Dec 17)
- <Possible follow-ups>
- RE: network worm Joe Cervantes (Dec 09)
- Re: network worm Steve Phipps (Dec 09)