Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] Being hacked or not

To: <[email protected]>
Subject: Re: [FW1] Being hacked or not
From: [email protected] (Carl E. Mankinen)
Date: Mon, 23 Oct 2000 17:50:18 -0400
References: <[email protected]>
Sender: [email protected]

Install a good sniffer on the outside leg of your firewall.
Get good at defining traffic filters, triggers and analyzing packet decodes.

You can't beat a sniffer product like NAI's DSS Sniffer Pro 4.0.
Unbeatable.

Besides, you can learn all sorts of things about your network (things you might
not have realized) by firing up a sniffer and cozying up with a hot cup of coffee
and some toothpicks to keep your eyelids open.

An IDS tool like Snort or RealSecure is good too, since it's usually easier to
setup and get some logging out of than it is to understand all of the types of exploits
they detect. However, it's not as good as a sniffer for watching things realtime,
and in my opinion the number of trojans detected is miniscule.

I had occassion to watch a script kiddie control a "Socket23" trojan on my network
(not my production network, it's a long story...)
Regardless, weird DHCP problems were occuring, addresses were getting handed out
to hosts that were not in our scope and the sniffer told us who was handing them out.
Needless to say, we started to monitor the traffic of this compromised host and saw
all kinds of neat stuff. (it would have been VERY upsetting stuff had this been at work).
The cracker was sniffing passwords off the network (he wasn't getting much since it
was almost all switched hardware), scanning for other compromised hosts
on the network (of which he managed to connect to at least one BO compromised host).

It was just interesting to watch it in realtime.
Some of the stuff he was doing is not a part of the standard Socket23 trojan, so I suspect
he had a heavily modified version. (probably packaged in some hot new warez release)

btw, I have noticed that anti-virus products (and IDS) are not keeping up with the spread
of trojans. I downloaded close to 150 nasties, and a small percentage were detected.

----- Original Message ----- 
From: <[email protected]>
To: <[email protected]>
Sent: Monday, October 23, 2000 4:25 PM
Subject: [FW1] Being hacked or not


> 
> 
> 
> I think someone is trying to access my network.
> I 'd like to know where I can find tools to retrace a hacker's site if I'm being
> hacked.
> 
> THX
> 
> Rales
> 
> 
> 
> 
> ================================================================================
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ================================================================================
> 



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

References:
- [FW1] Being hacked or not
  - From: [email protected]

Prev by Date: [FW1] Gabriel can't browse NT 4 domain
Next by Date: [FW1] DHCP tbru FW1
Previous by thread: [FW1] Being hacked or not
Next by thread: [FW1] DHCP tbru FW1
Index(es):
- Date
- Thread