Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: IRC, IM Proxy Implementations

From: Mike Porter <mike () UDEL EDU>
Date: Sun, 5 Sep 2004 22:32:31 -0400
This kind of retrospective analysis is useful enough for forensic/recovery
purposes to make it a routine part of incident response, and it can even
be used to reveal other compromised machines before they start overtly
misbehaving (if they are found to be engaging in "IRC-like" communication
with the same remote "IRC-like" server that a known-compromised host was
observed to communicate with shortly before it began misbehaving).


How do you handle machines seen using "IRC-like" behavior.  I
encounter a great deal of resistance to any sort of "guessing".
Generally, I have to "prove" a problem before turning off ports.

To be fair - it is a lot of work for someone to go over the machine
and clean it up - particularly if there isn't anything actually
wrong.

Complicating matters: we do not have a policy prohibiting p-2-p.
p-2-p and irc behavior are pretty easy to spot.  Telling the
difference between the two seems harder, particularly when dealing
with non-standard ports.

The only tool I have for network monitoring is Netflow.

Mike

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.
Previous By Date Next
Previous By Thread Next

Current thread: