[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] Being hacked or not
Install a good sniffer on the outside leg of your firewall. Get good at defining traffic filters, triggers and analyzing packet decodes. You can't beat a sniffer product like NAI's DSS Sniffer Pro 4.0. Unbeatable. Besides, you can learn all sorts of things about your network (things you might not have realized) by firing up a sniffer and cozying up with a hot cup of coffee and some toothpicks to keep your eyelids open. An IDS tool like Snort or RealSecure is good too, since it's usually easier to setup and get some logging out of than it is to understand all of the types of exploits they detect. However, it's not as good as a sniffer for watching things realtime, and in my opinion the number of trojans detected is miniscule. I had occassion to watch a script kiddie control a "Socket23" trojan on my network (not my production network, it's a long story...) Regardless, weird DHCP problems were occuring, addresses were getting handed out to hosts that were not in our scope and the sniffer told us who was handing them out. Needless to say, we started to monitor the traffic of this compromised host and saw all kinds of neat stuff. (it would have been VERY upsetting stuff had this been at work). The cracker was sniffing passwords off the network (he wasn't getting much since it was almost all switched hardware), scanning for other compromised hosts on the network (of which he managed to connect to at least one BO compromised host). It was just interesting to watch it in realtime. Some of the stuff he was doing is not a part of the standard Socket23 trojan, so I suspect he had a heavily modified version. (probably packaged in some hot new warez release) btw, I have noticed that anti-virus products (and IDS) are not keeping up with the spread of trojans. I downloaded close to 150 nasties, and a small percentage were detected. ----- Original Message ----- From: <[email protected]> To: <[email protected]> Sent: Monday, October 23, 2000 4:25 PM Subject: [FW1] Being hacked or not > > > > I think someone is trying to access my network. > I 'd like to know where I can find tools to retrace a hacker's site if I'm being > hacked. > > THX > > Rales > > > > > ================================================================================ > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================================================ > ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|