Re: possible rooted systems

mike_at_genxweb.net
Date: 10/28/04

  • Next message: Anton Muthu Kumar.B: "Exchange 2003 API's for Backup & Restoration." 
    Date: Thu, 28 Oct 2004 13:34:54 -0400
To: kyle@inetconnection.com

    Kyle,

    If you believe you have been compromised I say start investigating the issue.
    Check the firewall logs for outbound and inbound connections on non standard
    ports. Once you do that check standard ports. See if you see any irc ports in
    use. For the *ware issue (* being and form of the ware family) I suggest to
    start off small using a free product liek ad-aware and start from there.
    Unfortuantly in a school enviroment you will have that issue and most likely
    you can not switch browsers to a less vulnerable one.

    Either way check the logs on the firewall for abnormal usage (you should know
    your network the bess, to tell whats normal and abnormal).

    Quoting kyle <kyle@inetconnection.com>:

    > I am a lan administrator at a small school system with a T1 line for the
    > internet. Lately I've noticed that the T1 line has been maxed, and a week
    > later, it still is maxed out. I strongly believe that a few systems have been
    > rooted (no viruses/trojans show up on scans) and need a novell based packet
    > sniffer to determine what is legitimate and illegitimate traffic. Does anyone
    > know of any good ones? We run many xp and 98 boxes with multiple novell
    > servers. I think some of the 98 boxes are the ones that were rooted On using
    > them I've noticed one common thing on every one of them at that building.
    > spyware beyond usage (current record 35000 entries before adaware locked up).
    > I know how I can just fix it, but I need some sort of log so I can justify my
    > means. ;)
    > Thanks
    > Kyle
    >

  • Next message: Anton Muthu Kumar.B: "Exchange 2003 API's for Backup & Restoration."

    Relevant Pages

    • Re: Best practices for securing SSH server
      ... Listening on multiple ports is not synonymous with promiscuous interfaces. ... monitor your access logs daily, then I don't want to hear any argument ... Once attackers start trying random keys instead of passwords, ... Security has been, and always will be, keeping one step ahead of your ...
      (freebsd-questions)
    • Re: Very good break in
      ... IIS is not running on this machine. ... netBIOS ports are blocked at the edge. ... of course there are no iis logs. ... just installing patches is not enough to secure a computer... ...
      (microsoft.public.win2000.security)
    • RE: Re: Concepts: Security and Obscurity
      ... scan all 65,535 ports on my system and keep an enormous database of what ... It's obvious that SANS is going to show standard ports being probed ... probably a similar ratio of attackers. ... configured to listen on both standard and nonstandard ports, ...
      (Security-Basics)
    • Re: URGENT: proftpd on solaris 8 problem.
      ... > subnet as each other or the client. ... I´ve tryed standard ports and nonstandar ports, Active and passive ftp, ... standalone and inetd... ...
      (comp.unix.solaris)
    • Re: Concepts: Security and Obscurity
      ... Services running on nonstandard ports are ... It's obvious that SANS is going to show standard ports being probed ... difference by way of a hard comparison of relative numbers of attacks ...
      (Security-Basics)