Re: Search for 'Backdoor'
From: Steven L Umbach (n9rou_at_nscomcast.net)
Date: 05/21/04
- Next message: MTNL: "Re: Recover from log on locally domain setting"
- Previous message: Steven L Umbach: "Re: Template Build Shows SID, Not Name"
- In reply to: Peter Kaufman: "Re: Search for 'Backdoor'"
- Next in thread: Peter Kaufman: "Re: Search for 'Backdoor'"
- Reply: Peter Kaufman: "Re: Search for 'Backdoor'"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 21 May 2004 01:42:27 GMT
Firewall logs are a good start for network traffic. A personal firewall such
as Sygate [free to try] has some excellent logging and the logs can be
sorted by column. Personal firewalls also have the advantage that you can
create firewall rules mapped to applications that can prevent
unwanted/unknown programs from accessing the network. Ethereal [free] is a
packet capture program which will give very detailed info on network traffic
and you can configure filters to narrow your search [ports and IP addresses]
and exclude what you don't want to see so not to get overwhelmed with all
the entries. --- Steve
http://smb.sygate.com/small_business.htm
http://www.ethereal.com/ --- there is a version for Windows
"Peter Kaufman" <no@email.com> wrote in message
news:0sioa09pluihgtmnsbg67ku04eegft4pb2@4ax.com...
> Hi Laura,
>
> Auditing is a good tip, but I still wonder about a network/port
> capture (I am a bit out of my depth here..) Anyone have any ideas
> about that?
>
> Thanks,
>
> Peter
>
> On Wed, 19 May 2004 10:48:28 -0400, "Laura E. Hunter \(MVP\)"
> <hunter(nospamplease)@sfs.upenn.edu> wrote:
>
> >Unfortunately, the only way to be 100% sure that a suspected-compromised
> >system is intact is to rebuild it from scratch. (It's an ugly answer,
but
> >it gives you peace of mind, since you know that there's nothing on the
> >server that -you- didn't put there.)
> >
> >Absent that, since it -is- a really ugly answer, a few ideas:
> >
> >Firewalls are good, as is installing and maintaining anti-virus software
and
> >spyware detection utilities such as Ad-Aware. You can also enable
Windows
> >auditing of object access to alert you whenever any data files are
accessed.
> >(This will make for some -huge- log files for you to sift through, but in
> >your case sounds like it would be worth it.)
> >
> >You can also use IPSec filtering to allow -only- the ports that you want
> >this server to transmit on. Any other traffic would be dropped
> >automagically.
>
- Next message: MTNL: "Re: Recover from log on locally domain setting"
- Previous message: Steven L Umbach: "Re: Template Build Shows SID, Not Name"
- In reply to: Peter Kaufman: "Re: Search for 'Backdoor'"
- Next in thread: Peter Kaufman: "Re: Search for 'Backdoor'"
- Reply: Peter Kaufman: "Re: Search for 'Backdoor'"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
