Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: possible rooted systems

from [Beauford, Jason] Network Security [Permanent Link]
Subject: RE: possible rooted systems
Date: Thu, 28 Oct 2004 13:52:45 -0400 
You don't necessarily need a NOVELL based SNIFFER.

You could hook up any box and run a LIVE LINUX CD.  You can use the
"built-in" (Depends on distribution) ETHEREAL sniffer to sniff packets
off the wire.

Another nice tool you can use is NTOP.  NTOP sniffs packets off the wire
and breaks down the communication processes into GRAPHICAL
representation.  Very handy little tool.

I'd recommend downloading and burning the KNOPPIX STD .iso, hooking up a
hub between your Firewall and your MAIN SWITCH.  Hook up any PC box or
laptop, boot up your KNOPPIX STD Disk and monitor away.

Knoppix STD here:  http://www.knoppix-std.org/

Most likely, you are having some sort of FILE SHARING/ P2P issues.
Maybe even LAN Based Gaming (Trust me.. Not beyond the realm of
possibilities.. You can download the Unreal Tournament 2004 demo and
have hours of fun on a School or even Corporate LAN =) )

Take a look at commercial products to monitor/limit incoming/outgoing
traffic, i.e. Websense: http://www.websense.com.

Or if your Firewall allows for it, block egress traffic there.  Speaking
of Firewalls, your may have a logging feature which can log packets to a
SYSLOG Server.  If that's the case, set it up and log all traffic in and
out to a central server (Sorry not familiar with NOVELL Syslog
Servers/Daemons.) There's KIWI SYSLOG SERVER for Windows.  It's a
freebie and works great!  Maybe setup SNORT for IDS purposes?

Firstly, if it were me, I'd check out the Knoppix STD Disk.  You can
gather some great data from that.  All the other stuff is preventative
after you fix the problem.

Kind Regards,

JMB

-----Original Message-----
From: kyle [mailto:kyle@inetconnection.com] 
Sent: Thursday, October 28, 2004 8:13 AM
To: security-basics@securityfocus.com
Subject: possible rooted systems


I am a lan administrator at a small school system with a T1 line for the

internet. Lately I've noticed that the T1 line has been maxed, and a
week 
later, it still is maxed out. I strongly believe that a few systems have
been 
rooted (no viruses/trojans show up on scans) and need a novell based
packet 
sniffer to determine what is legitimate and illegitimate traffic. Does
anyone 
know of any good ones? We run many xp and 98 boxes with multiple novell 
servers. I think some of the 98 boxes are the ones that were rooted On
using 
them I've noticed one common thing on every one of them at that
building. 
spyware beyond usage (current record 35000 entries before adaware locked
up). 
I know how I can just fix it, but I need some sort of log so I can
justify my 
means. ;)
Thanks
Kyle
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: possible rooted systems, Adam Jones
Next by Date:  Re: User can delete root's file from user's home directory, Mike
Previous by Thread:  RE: possible rooted systems, David Gillett
Next by Thread:  Re: possible rooted systems, Mailing Lists
Indexes:  [Date] [Thread] [Top] [All Lists]