Security Basics mailing list archives

Re: possible rooted systems

From: Adam Jones <ajones1 () gmail com>
Date: Thu, 28 Oct 2004 13:09:51 -0500

I believe ethereal would still be your best bet. It can analyze
IPX/SPX traffic (if that is what you mean by a "novell based packet
sniffer"). If what you need is something that can run on a novell
client this will work with SuSE, and may work with older novell
systems.

From your description the traffic that you are seeing is either

entirely generated by spyware/adware, or is the result of a system
compromise. I wouldn't trust a 98 box in a school system to do
anything other than be a doorstop. Don't be suprised if you turn up a
copy of kazaa/bittorrent/emule/whatever that some kid has installed on
one of those boxes.

Packet sniffing may show you something, but a software audit on those
systems is what I would look to first. There are tools available to
capture that kind of information remotely. For the xp boxes you could
probably trust installing and running the windows scripting host.
Setting up a script to grab the uninstallation information from the
registry and a listing of folders in the c drive and program files
directories shouldn't be that hard, check
www.microsoft.com/technet/scriptcenter/default.mspx for more info on
that. In checking those locations you can find most anything that has
actually been installed vs simply copied off a cd into some random
directory. For the 98 boxes you may want to do this manually, as
installing the newer version of the scripting host on them opens up a
whole larger can of worms.

Immediate solutions to the bandwidth issue would probably be getting a
rate limit set on the network device. Many switches will do port-based
rate limiting, which will restrict the (probably) 1-2 systems causing
problems from using up all of your bandwidth.

A combination of packet sniffing and logs of installed programs should
give your higher ups all of the data they need. When all of this is
cleaned up remember to strongly recommend upgrades to XP or 2000 for
those 98 boxes. If they are not the problem right now they will be in
the future, if necessary set up a demonstration of how you can get
into the system will full privileges just by pressing the cancel
button at login. To really punctuate it proceed to install some game
and play it, that should get any school administrator worth something
to sit up and listen.

-Adam

Current thread:

possible rooted systems kyle (Oct 28)
- Re: possible rooted systems Mike (Oct 28)
  - Re: possible rooted system xyberpix (Oct 28)
- Re: possible rooted systems Adam Jones (Oct 28)
- Re: possible rooted systems mike (Oct 28)
  - Re: possible rooted systems kyle (Oct 28)
- RE: possible rooted systems AndrewC (Oct 28)
- RE: possible rooted systems David Gillett (Oct 28)
- <Possible follow-ups>
- RE: possible rooted systems Beauford, Jason (Oct 28)
  - Re: possible rooted systems Mailing Lists (Oct 28)