Re: Intrusion Question

From: winged (winged_at_nofollow.com)
Date: 02/18/05


Date: 17 Feb 2005 20:14:02 EST
To: Mark St Laurent <stormrunner'_removethis'@comcast.net>

Mark St Laurent wrote:
> Ethereal version I installed on my PC to become familiar with interface is
> 0.10.9 I believe this is most recent. I am in switched environment. I
> noticed packet capture appears limited to interfaces directly connected to
> PC at which program is installed. How is this overcome? If installed to
> affected users PC woul not remote control user would have access to stop
> recording and delete record.
> Also the effected PC is not an optimal target (suspect horseplay) so if it
> was being compromised through firewall (both windows and hardware) using
> trojan program not detected by norton corporate and not listed by netstat
> what variants of current viruses such as NetBus or Back Orafice could be
> enabled on a machine without having an entry in registry run key to enable
> after reboot.
> Machine does have USB to PS2 keyboard adapter (Belkin - no PS2 port native
> to PC) since moving receiver closer to mouse no more incidents. This is no
> reason however to ignore what I saw or to stop tring to learn more about
> these kind of attacks.
> Now that legitamate programs such as "GoToMyPc" are using port 80, spinoffs
> using similiar programming will make this type of connection become more
> difficult to trace.
>
>
>
> "winged" <winged@nofollow.com> wrote in message
> news:cv0r3u$a0g@dispatch.concentric.net...
>
>>BillyBob-JoeJack wrote:
>>
>>>"Mark St Laurent" <stormrunner'_removethis'@comcast.net> wrote in message
>>>news:onLQd.526$Pz7.410@newssvr13.news.prodigy.com...
>>>
>>>
>>>>We do not have any linux or non server unix boxes to run sniffer from.
>>>>What is the most popular sniffer ported to windows that I could set up
>>>>and learn to use.
>>>>
>>>
>>>
>>> http://www.ethereal.com
>>
>>Best choice for a low budget(free), works well. Be sure you are using the
>>current version as I remember a vulnerability bug recently where an
>>attacker could take over the ethereal equipped PC. Monitoring is best
>>accomplished from inside the switch closet. My experience indicates
>>commonly such things may be being done by another employee for various
>>reasons, so you probably want to keep activity private/quiet. I have seen
>>Trojans being operated by people inside as well outside the network.
>>
>>Ensure no plug in type keyloggers are attached to the input plug of the
>>keyboard plug. I have seen plug type keyloggers do strange activity with
>>the mouse especially as the keylogger gets full. Of course you never want
>>to see one of those anywhere on your network, but they are a readily
>>available device one must be alert for. Because they are so small
>>(fitting like a keyboard plug extension or adapter) and easily placed and
>>removed you may need to be aware of the possibility. They are pretty hard
>>to spot unless you are looking for them. I never have tried to figure out
>>why/how something on the keyboard plug could interfere with mouse, but it
>>is something that has been observed.
>>
>>Winged
>
>
>
I would just use a small hub (not a switch) or you can use a splitter to
monitor traffic. With a splitter you will see some collisions. If you
have a tap you can use that with no issues.
Winged



Relevant Pages

  • Re: Intrusion Question
    ... > Ethereal version I installed on my PC to become familiar with interface is ... >>Ensure no plug in type keyloggers are attached to the input plug of the ... I would just use a small hub (not a switch) or you can use a splitter to ...
    (alt.computer.security)
  • Re: Network autoswitching
    ... Airport when I plug a network cable in. ... I thought the interface should ... just switch over, and am pretty sure it used to work that way. ... 'Ethernet 1' so it's above the Airport entry. ...
    (uk.comp.sys.mac)
  • Re: Network autoswitching
    ... when I plug a network cable in. ... I thought the interface should just switch ... Any reason why it might not be doing? ... The Airport is a network switch - it will contained cached MAC-address ...
    (uk.comp.sys.mac)
  • Re: Classes / Functions / Autonomy
    ... It has an interface: a boundary between inside and outside which only exposed what needs to be exposed. ... It even has some partial interfaces: it has a power plug, a data plug, and a "busy" light plug. ... Generally, you should not set the properties directly, because then these properties are beyond control of the class, and then the class looses its responsibility. ... This separation between inside and outside is called "encapsulation". ...
    (comp.lang.php)