RE: possible rooted systems

[xyberpix <xyberpix () xyberpix com>]

On this thread I would recommend blocking as many P2P ports as possible,
and then see if your line is still maxed after this.
Here's a link for you, maybe someone else can recommend a better link?

http://www.commodon.com/threat/threat-allports.htm

xyberpix

On Thu, 2004-10-28 at 20:31, David Gillett wrote:
>   It is, of course, possible that you have one or more compromised
> machines on your network.  But when I've seen Internet connections
> max out, it has been due to P2P file-sharing at least as often as
> compromised systems....
>
> Dave Gillett
>
>
> > -----Original Message-----
> > From: kyle [mailto:kyle () inetconnection com]
> > Sent: Thursday, October 28, 2004 5:13 AM
> > To: security-basics () securityfocus com
> > Subject: possible rooted systems
> >
> >
> > I am a lan administrator at a small school system with a T1 
> > line for the 
> > internet. Lately I've noticed that the T1 line has been 
> > maxed, and a week 
> > later, it still is maxed out. I strongly believe that a few 
> > systems have been 
> > rooted (no viruses/trojans show up on scans) and need a 
> > novell based packet 
> > sniffer to determine what is legitimate and illegitimate 
> > traffic. Does anyone 
> > know of any good ones? We run many xp and 98 boxes with 
> > multiple novell 
> > servers. I think some of the 98 boxes are the ones that were 
> > rooted On using 
> > them I've noticed one common thing on every one of them at 
> > that building. 
> > spyware beyond usage (current record 35000 entries before 
> > adaware locked up). 
> > I know how I can just fix it, but I need some sort of log so 
> > I can justify my 
> > means. ;)
> > Thanks
> > Kyle
-- 
For Security and Open Source news:
http://xyberpix.demon.co.uk

Attachment: signature.asc
Description: This is a digitally signed message part