Re: Intrusion Question
From: winged (winged_at_nofollow.com)
Date: 17 Feb 2005 20:14:02 EST To: Mark St Laurent <firstname.lastname@example.org>
Mark St Laurent wrote:
> Ethereal version I installed on my PC to become familiar with interface is
> 0.10.9 I believe this is most recent. I am in switched environment. I
> noticed packet capture appears limited to interfaces directly connected to
> PC at which program is installed. How is this overcome? If installed to
> affected users PC woul not remote control user would have access to stop
> recording and delete record.
> Also the effected PC is not an optimal target (suspect horseplay) so if it
> was being compromised through firewall (both windows and hardware) using
> trojan program not detected by norton corporate and not listed by netstat
> what variants of current viruses such as NetBus or Back Orafice could be
> enabled on a machine without having an entry in registry run key to enable
> after reboot.
> Machine does have USB to PS2 keyboard adapter (Belkin - no PS2 port native
> to PC) since moving receiver closer to mouse no more incidents. This is no
> reason however to ignore what I saw or to stop tring to learn more about
> these kind of attacks.
> Now that legitamate programs such as "GoToMyPc" are using port 80, spinoffs
> using similiar programming will make this type of connection become more
> difficult to trace.
> "winged" <email@example.com> wrote in message
>>>"Mark St Laurent" <firstname.lastname@example.org> wrote in message
>>>>We do not have any linux or non server unix boxes to run sniffer from.
>>>>What is the most popular sniffer ported to windows that I could set up
>>>>and learn to use.
>>Best choice for a low budget(free), works well. Be sure you are using the
>>current version as I remember a vulnerability bug recently where an
>>attacker could take over the ethereal equipped PC. Monitoring is best
>>accomplished from inside the switch closet. My experience indicates
>>commonly such things may be being done by another employee for various
>>reasons, so you probably want to keep activity private/quiet. I have seen
>>Trojans being operated by people inside as well outside the network.
>>Ensure no plug in type keyloggers are attached to the input plug of the
>>keyboard plug. I have seen plug type keyloggers do strange activity with
>>the mouse especially as the keylogger gets full. Of course you never want
>>to see one of those anywhere on your network, but they are a readily
>>available device one must be alert for. Because they are so small
>>(fitting like a keyboard plug extension or adapter) and easily placed and
>>removed you may need to be aware of the possibility. They are pretty hard
>>to spot unless you are looking for them. I never have tried to figure out
>>why/how something on the keyboard plug could interfere with mouse, but it
>>is something that has been observed.
I would just use a small hub (not a switch) or you can use a splitter to
monitor traffic. With a splitter you will see some collisions. If you
have a tap you can use that with no issues.