RE: [fw-wiz] Strange outbound connections.

From: Ben Nagy (ben_at_iagu.net)
Date: 08/27/03

  • Next message: Rick Murphy: "Re: [fw-wiz] Transparent proxies and PMTUD on the (WWW) serverside"
    To: "'George J. Jahchan, Eng.'" <Firewall-Wizards@Compucenter.org>, "'Firewall Wizards List'" <firewall-wizards@honor.icsalabs.com>
    Date: Wed, 27 Aug 2003 10:57:23 +0200
    
    

    Well, if you really want to catch someone, then start digging out your
    forensics tools.

    Sniff these weird packets, find out what's in them. Fire up a known-good
    cmd.exe and dir /a for atime mtime and ctime on everything. Run fport to
    check processes that are holding onto unexpected ports. Then check all the
    event logs, and dump the registry and comb through that just in case.
    Eventually you might turn up something that will tell you if you're correct
    that the system is trojaned, and hopefully how and why.

    My own recommendation is that you immediately pull out the harddrive, get a
    new one, and just format and rebuild the box from scratch.

    After that, you can look at everything readonly on the bench. You might miss
    some evidence (assuming you want to 'nail people down') but what you have
    you won't be messing with. For extra points you can use TCT or something -
    although it's probably best, if you decide that you want to take legal
    action, to ask people that know about these things in your local legal
    climate.

    ben

    > -----Original Message-----
    > From: firewall-wizards-admin@honor.icsalabs.com
    > [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf
    [...]
    > I strongly suspect a trojan lurking in the system. Any
    > idea(s) on how to
    > nail down the culprit?

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Rick Murphy: "Re: [fw-wiz] Transparent proxies and PMTUD on the (WWW) serverside"

    Relevant Pages