[NTLUG:Discuss] Intrusion and Detection
Frank Lewis
sapremias at yahoo.com
Wed Dec 26 07:11:38 CST 2001
You all may want to take a look at http://www.demarc.org/
This is some pretty good network based IDS software based on Snort.
-----Original Message-----
From: discuss-admin at ntlug.org [mailto:discuss-admin at ntlug.org] On Behalf
Of Chris Cox
Sent: Tuesday, December 25, 2001 10:38 PM
To: discuss at ntlug.org
Subject: Re: [NTLUG:Discuss] Intrusion and Detection
Kenneth Loafman wrote:
...
> Its been fun, not as much fun as taking apart viruses, but fun indeed.
> Glad the machine was not a primary. Gives me time to dissect and
> examine. Still trying to figure out what the goal of the attack was.
I
> think I'll have to take things apart piece by piece until I find out.
> Its not obvious.
Many times, the goal is too simply create a "drone" platform for
DDoS (Distributed Denial of Service) attacks. Many denial of service
attacks require many machines to attack a particular system in order
to generate the desired affect. Especially look for the IRC ports, like
6666 and 6667... if they're now open... check your firewall logs for
the IPs being used to contact your machine on those ports... my guess
is that you'll find several more boxes out there that are part of
the "drone" community (use whois tools to find out the admins of the
platforms, contact them so they can clean themselves up).
This is just an example of a common set of root kits I've seen. Could
be others operating on different ports... and not necessarily for
the purpose of DDoS.
_______________________________________________
http://www.ntlug.org/mailman/listinfo/discuss
_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com
More information about the Discuss
mailing list