Security Basics mailing list archives
Re: possible rooted systems
From: kyle <kyle () inetconnection com>
Date: Sat, 30 Oct 2004 10:10:15 -0500
We have enough spares we can just take the machines and give them a clean one while we format/reinstall and then cripple the system with driveshield. But we need to figgure out what machines need to be redone. And for the people suggesting I put in a nix box in the line. We tried that, dropped the net for the building (we have one expecially configured to be a packet sniffer only) till we removed it (seems it needs some work itself) and we cant have the line down for more than 5 min to install a new server/tool in the line. But I was given how to do a packet sniffer on novell boxes (and by novell I mean novell netware, not suse, suse is linux, and linux I know well enough to not need how to run a packet sniffer on), so we will see what that gets me. On Thursday 28 October 2004 01:29 pm, Mailing Lists wrote:
Not to be a stickler for details and hopefully you are already planning this, but the infected machines should be re-imaged, not fixed. Other wise you leave yourself open to missing backdoors and the like. The upfront effort in creating an image for each machine type is almost always worth the effort. It may take several image revisions to get all the little details worked out, but its always a good feeling to be able to wipe a machine when it catches something nasty, or when a new program your are installing steps on the configuration. An easy solution that I use is to have a USB Drive arround that has all the images I need on it. When a machnie hiccups, I can back it up to the USB Drive using a ghost boot disk with dos USB drivers, and than plant a new image over the top. Good Luck! On Thu, 28 Oct 2004 13:52:45 -0400, Beauford, Jason <jbeauford () eightinonepet com> wrote:You don't necessarily need a NOVELL based SNIFFER. You could hook up any box and run a LIVE LINUX CD. You can use the "built-in" (Depends on distribution) ETHEREAL sniffer to sniff packets off the wire. Another nice tool you can use is NTOP. NTOP sniffs packets off the wire and breaks down the communication processes into GRAPHICAL representation. Very handy little tool. I'd recommend downloading and burning the KNOPPIX STD .iso, hooking up a hub between your Firewall and your MAIN SWITCH. Hook up any PC box or laptop, boot up your KNOPPIX STD Disk and monitor away. Knoppix STD here: http://www.knoppix-std.org/ Most likely, you are having some sort of FILE SHARING/ P2P issues. Maybe even LAN Based Gaming (Trust me.. Not beyond the realm of possibilities.. You can download the Unreal Tournament 2004 demo and have hours of fun on a School or even Corporate LAN =) ) Take a look at commercial products to monitor/limit incoming/outgoing traffic, i.e. Websense: http://www.websense.com. Or if your Firewall allows for it, block egress traffic there. Speaking of Firewalls, your may have a logging feature which can log packets to a SYSLOG Server. If that's the case, set it up and log all traffic in and out to a central server (Sorry not familiar with NOVELL Syslog Servers/Daemons.) There's KIWI SYSLOG SERVER for Windows. It's a freebie and works great! Maybe setup SNORT for IDS purposes? Firstly, if it were me, I'd check out the Knoppix STD Disk. You can gather some great data from that. All the other stuff is preventative after you fix the problem. Kind Regards, JMB -----Original Message----- From: kyle [mailto:kyle () inetconnection com] Sent: Thursday, October 28, 2004 8:13 AM To: security-basics () securityfocus com Subject: possible rooted systems I am a lan administrator at a small school system with a T1 line for the internet. Lately I've noticed that the T1 line has been maxed, and a week later, it still is maxed out. I strongly believe that a few systems have been rooted (no viruses/trojans show up on scans) and need a novell based packet sniffer to determine what is legitimate and illegitimate traffic. Does anyone know of any good ones? We run many xp and 98 boxes with multiple novell servers. I think some of the 98 boxes are the ones that were rooted On using them I've noticed one common thing on every one of them at that building. spyware beyond usage (current record 35000 entries before adaware locked up). I know how I can just fix it, but I need some sort of log so I can justify my means. ;) Thanks Kyle
Current thread:
- Re: possible rooted systems kyle (Nov 01)
- <Possible follow-ups>
- RE: possible rooted systems xyberpix (Nov 01)
- Re: possible rooted systems Alvin Oga (Nov 02)
- Re: possible rooted systems Mailing Lists (Nov 01)
- RE: possible rooted systems xyberpix (Nov 02)