Educause Security Discussion mailing list archives
Re: IRC, IM Proxy Implementations
From: Mike Porter <mike () UDEL EDU>
Date: Sun, 5 Sep 2004 22:32:31 -0400
This kind of retrospective analysis is useful enough for forensic/recovery purposes to make it a routine part of incident response, and it can even be used to reveal other compromised machines before they start overtly misbehaving (if they are found to be engaging in "IRC-like" communication with the same remote "IRC-like" server that a known-compromised host was observed to communicate with shortly before it began misbehaving).
How do you handle machines seen using "IRC-like" behavior. I encounter a great deal of resistance to any sort of "guessing". Generally, I have to "prove" a problem before turning off ports. To be fair - it is a lot of work for someone to go over the machine and clean it up - particularly if there isn't anything actually wrong. Complicating matters: we do not have a policy prohibiting p-2-p. p-2-p and irc behavior are pretty easy to spot. Telling the difference between the two seems harder, particularly when dealing with non-standard ports. The only tool I have for network monitoring is Netflow. Mike ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Re: IRC, IM Proxy Implementations, (continued)
- Re: IRC, IM Proxy Implementations Gary Flynn (Sep 03)
- Re: IRC, IM Proxy Implementations Brian Eckman (Sep 03)
- Re: IRC, IM Proxy Implementations Mike Iglesias (Sep 03)
- Re: IRC, IM Proxy Implementations Richard Gadsden (Sep 03)
- Re: IRC, IM Proxy Implementations Justin Azoff (Sep 03)
- Re: IRC, IM Proxy Implementations Justin Azoff (Sep 03)
- Re: IRC, IM Proxy Implementations Dave Monnier, IT Security Office, Indiana University (Sep 03)
- Re: IRC, IM Proxy Implementations John Kristoff (Sep 03)
- Re: IRC, IM Proxy Implementations John Kristoff (Sep 03)
- Re: IRC, IM Proxy Implementations H. Morrow Long (Sep 03)
- Re: IRC, IM Proxy Implementations Mike Porter (Sep 05)
- Re: IRC, IM Proxy Implementations Mark Wilson (Sep 08)
- Re: IRC, IM Proxy Implementations Justin Azoff (Sep 08)
- Re: IRC, IM Proxy Implementations Mark Wilson (Sep 08)
- Re: IRC, IM Proxy Implementations Hearn, David L. (Sep 08)
- Re: IRC, IM Proxy Implementations Daniel Adinolfi (Sep 08)
- Re: IRC, IM Proxy Implementations Richard Gadsden (Sep 08)
- Re: IRC, IM Proxy Implementations Gary Flynn (Sep 08)
- Re: IRC, IM Proxy Implementations Mark Wilson (Sep 08)
- Re: IRC, IM Proxy Implementations Justin Azoff (Sep 08)
- Re: IRC, IM Proxy Implementations H. Morrow Long (Sep 08)
(Thread continues...)