Security Basics mailing list archives
Re: possible rooted systems
From: Adam Jones <ajones1 () gmail com>
Date: Thu, 28 Oct 2004 13:09:51 -0500
I believe ethereal would still be your best bet. It can analyze IPX/SPX traffic (if that is what you mean by a "novell based packet sniffer"). If what you need is something that can run on a novell client this will work with SuSE, and may work with older novell systems.
From your description the traffic that you are seeing is either
entirely generated by spyware/adware, or is the result of a system compromise. I wouldn't trust a 98 box in a school system to do anything other than be a doorstop. Don't be suprised if you turn up a copy of kazaa/bittorrent/emule/whatever that some kid has installed on one of those boxes. Packet sniffing may show you something, but a software audit on those systems is what I would look to first. There are tools available to capture that kind of information remotely. For the xp boxes you could probably trust installing and running the windows scripting host. Setting up a script to grab the uninstallation information from the registry and a listing of folders in the c drive and program files directories shouldn't be that hard, check www.microsoft.com/technet/scriptcenter/default.mspx for more info on that. In checking those locations you can find most anything that has actually been installed vs simply copied off a cd into some random directory. For the 98 boxes you may want to do this manually, as installing the newer version of the scripting host on them opens up a whole larger can of worms. Immediate solutions to the bandwidth issue would probably be getting a rate limit set on the network device. Many switches will do port-based rate limiting, which will restrict the (probably) 1-2 systems causing problems from using up all of your bandwidth. A combination of packet sniffing and logs of installed programs should give your higher ups all of the data they need. When all of this is cleaned up remember to strongly recommend upgrades to XP or 2000 for those 98 boxes. If they are not the problem right now they will be in the future, if necessary set up a demonstration of how you can get into the system will full privileges just by pressing the cancel button at login. To really punctuate it proceed to install some game and play it, that should get any school administrator worth something to sit up and listen. -Adam
Current thread:
- possible rooted systems kyle (Oct 28)
- Re: possible rooted systems Mike (Oct 28)
- Re: possible rooted system xyberpix (Oct 28)
- Re: possible rooted systems Adam Jones (Oct 28)
- Re: possible rooted systems mike (Oct 28)
- Re: possible rooted systems kyle (Oct 28)
- RE: possible rooted systems AndrewC (Oct 28)
- RE: possible rooted systems David Gillett (Oct 28)
- <Possible follow-ups>
- RE: possible rooted systems Beauford, Jason (Oct 28)
- Re: possible rooted systems Mailing Lists (Oct 28)
- Re: possible rooted systems Mike (Oct 28)