Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: IRC, IM Proxy Implementations

From: Daniel Adinolfi <dra1 () CORNELL EDU>
Date: Wed, 8 Sep 2004 10:06:29 -0400
On Sep 08, 2004, at 09:52, Mark Wilson wrote:


Well, 100% of the boxes we have found with this sig have been
compromised. However, your point is well taken.  I would be interested
in others experiences.



Looking for tcp/113 listening on a system has been one of the
indicators we have used.  Some systems are just running software that
uses ident legitimately (like some IRC clients), of course.  I have
found that about 85% of those systems which we found running ident were
bots, though.  Just nmapping them and finding rogue FTP servers along
with ident has been enough to identify compromised systems.

I am still looking to automate this a bit, but so far the methodology
has been very successful in finding compromised systems.

-Dan

_________________
Daniel Adinolfi, CISSP
Senior Security Engineer, IT Security Office
Cornell University - Office of Information Technologies
email: dra1 () cornell edu   phone: 607-255-7657

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.
Previous By Date Next
Previous By Thread Next

Current thread: