Re: Intrusion Question

From: Mark St Laurent (stormrunner'_removethis'_at_comcast.net)
Date: 02/17/05


Date: Thu, 17 Feb 2005 20:59:14 GMT

Ethereal version I installed on my PC to become familiar with interface is
0.10.9 I believe this is most recent. I am in switched environment. I
noticed packet capture appears limited to interfaces directly connected to
PC at which program is installed. How is this overcome? If installed to
affected users PC woul not remote control user would have access to stop
recording and delete record.
Also the effected PC is not an optimal target (suspect horseplay) so if it
was being compromised through firewall (both windows and hardware) using
trojan program not detected by norton corporate and not listed by netstat
what variants of current viruses such as NetBus or Back Orafice could be
enabled on a machine without having an entry in registry run key to enable
after reboot.
Machine does have USB to PS2 keyboard adapter (Belkin - no PS2 port native
to PC) since moving receiver closer to mouse no more incidents. This is no
reason however to ignore what I saw or to stop tring to learn more about
these kind of attacks.
Now that legitamate programs such as "GoToMyPc" are using port 80, spinoffs
using similiar programming will make this type of connection become more
difficult to trace.

"winged" <winged@nofollow.com> wrote in message
news:cv0r3u$a0g@dispatch.concentric.net...
> BillyBob-JoeJack wrote:
>> "Mark St Laurent" <stormrunner'_removethis'@comcast.net> wrote in message
>> news:onLQd.526$Pz7.410@newssvr13.news.prodigy.com...
>>
>>>We do not have any linux or non server unix boxes to run sniffer from.
>>>What is the most popular sniffer ported to windows that I could set up
>>>and learn to use.
>>>
>>
>>
>> http://www.ethereal.com
>
> Best choice for a low budget(free), works well. Be sure you are using the
> current version as I remember a vulnerability bug recently where an
> attacker could take over the ethereal equipped PC. Monitoring is best
> accomplished from inside the switch closet. My experience indicates
> commonly such things may be being done by another employee for various
> reasons, so you probably want to keep activity private/quiet. I have seen
> Trojans being operated by people inside as well outside the network.
>
> Ensure no plug in type keyloggers are attached to the input plug of the
> keyboard plug. I have seen plug type keyloggers do strange activity with
> the mouse especially as the keylogger gets full. Of course you never want
> to see one of those anywhere on your network, but they are a readily
> available device one must be alert for. Because they are so small
> (fitting like a keyboard plug extension or adapter) and easily placed and
> removed you may need to be aware of the possibility. They are pretty hard
> to spot unless you are looking for them. I never have tried to figure out
> why/how something on the keyboard plug could interfere with mouse, but it
> is something that has been observed.
>
> Winged