Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Linux - Indicators of compromise

From: Giles Coochey <giles () coochey net>
Date: Wed, 18 Jul 2012 08:18:06 +0100
On 17/07/2012 18:58, Григорий Братислава wrote:

On Mon, Jul 16, 2012 at 10:35 AM, Giles Coochey <giles () coochey net> wrote:

On 16/07/2012 14:48, Gary Baribault wrote:

I suggest one of the first answers was the good one, intercept the traffic
routed to the internet with TCPDump. Filter out the normal traffic and see
what's left. All compromised systems talk to the Internet to dump data or
route spam. Be patient, some systems talk all the time, some once an hour ..
but you will find some unexplained traffic. Once you do find that you're
infected, don't bother cleaning up the system, format and restore the data!


Is you have much more to worry than is ICMP/GRE tunnels. Is I send to
Broadcast and I am is on your network, how do you is plan to pinpoint
who I am when is everyone see broadcast

By your source MAC address

--
Regards,

Giles Coochey, CCNA, CCNAS
NetSecSpec Ltd
+44 (0) 7983 877438
http://www.coochey.net
http://www.netsecspec.co.uk
giles () coochey net

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: