Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: possible rooted systems

from [Adam Jones] Network Security [Permanent Link]
Subject: Re: possible rooted systems
Date: Thu, 28 Oct 2004 13:09:51 -0500 
I believe ethereal would still be your best bet. It can analyze
IPX/SPX traffic (if that is what you mean by a "novell based packet
sniffer"). If what you need is something that can run on a novell
client this will work with SuSE, and may work with older novell
systems.


From your description the traffic that you are seeing is either

entirely generated by spyware/adware, or is the result of a system
compromise. I wouldn't trust a 98 box in a school system to do
anything other than be a doorstop. Don't be suprised if you turn up a
copy of kazaa/bittorrent/emule/whatever that some kid has installed on
one of those boxes.

Packet sniffing may show you something, but a software audit on those
systems is what I would look to first. There are tools available to
capture that kind of information remotely. For the xp boxes you could
probably trust installing and running the windows scripting host.
Setting up a script to grab the uninstallation information from the
registry and a listing of folders in the c drive and program files
directories shouldn't be that hard, check
www.microsoft.com/technet/scriptcenter/default.mspx for more info on
that. In checking those locations you can find most anything that has
actually been installed vs simply copied off a cd into some random
directory. For the 98 boxes you may want to do this manually, as
installing the newer version of the scripting host on them opens up a
whole larger can of worms.

Immediate solutions to the bandwidth issue would probably be getting a
rate limit set on the network device. Many switches will do port-based
rate limiting, which will restrict the (probably) 1-2 systems causing
problems from using up all of your bandwidth.

A combination of packet sniffing and logs of installed programs should
give your higher ups all of the data they need. When all of this is
cleaned up remember to strongly recommend upgrades to XP or 2000 for
those 98 boxes. If they are not the problem right now they will be in
the future, if necessary set up a demonstration of how you can get
into the system will full privileges just by pressing the cancel
button at login. To really punctuate it proceed to install some game
and play it, that should get any school administrator worth something
to sit up and listen.

-Adam
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Allowing scanning from home, ericaldrc51
Next by Date:  RE: possible rooted systems, Beauford, Jason
Previous by Thread:  Re: possible rooted system, xyberpix
Next by Thread:  Re: possible rooted systems, mike
Indexes:  [Date] [Thread] [Top] [All Lists]