-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
At 01:21 PM 5/12/2005 -0700, Tom Holub wrote:
>On Thu, May 12, 2005 at 11:13:13AM -0700, Jake-F Harwood wrote:
>
>If the hackers are actually accomplishing anything (that is, if their
>FTP server or back door is available to the net), SNS should be able
>to scan for them.
>
>--
that is very much like sticking your head in a hole, to keep from being
eaten by a lion.
hears an example thats not too uncommon. ,
you got hacked, (you can pick how),
the payload installs multiple evil things, like
ftp server, (seen on the network, and thr IDS)
Ident server, (seen on the network, and thr IDS)
key collector and password sniffer which sends it's results back thr
emaill, http posts, or DNS quares, (not seen on the network, but seen thr IDS)
and a back door that is available to the net (seen on the network. old
school.) or maybe a back door that uses some type of back connection to
bypass host basded firewalls. (like hacke defender, or the like, new
school). (not seen on the network, but seen thr IDS)
in that example, your still hosted any way you look at it.
the ftp servers there, but unusable, We (SNS would most likely see it get
installed, but would thr iout the alert as a false positives)
if we cant scan the hosts, not only can we tell if theres something up, but
we cant even tell what OS it is, which also help weed out false positives
based on OS matching to attacks.
we have pull some passive OS fingerprint stuff into play (and we do), but
when I or any of the other IDS team are working on alerts, sometimes you
just need to scan a host to see whats up.
seem's like a lot of good info thr out because your worried about having
the security groups scanner IP spooffed.
so are your going to block that DNS server allso, I hear theres holes for
that too.
doesn't that same risk exesict with the holes poked for the campus DNS
servers?
- -F
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
iQEVAwUBQoPGbSIJRNHUFoUuAQK7PAf9FaSWWsQZx/8HcZnb3fJkdv4a5R1gUQqT
61y4DaeOvkMWMzNmjvMmgInsFzPVO+iI2o+tXIr5uDbRfL48H9ngTZmdb9kpo7td
SrNLn4MgU9yOpC/px7+ogULi0Ft3c6+XgE/OjBQGen1G45znw3VqMhpgIPQYnnA9
qsBw+SFztOEMmZaIORib8De/5UvZxeW1WPPJ2wcKHXsnFZOscocuKYGOyCWQis1r
ezvZYjbT5QzIJfrp9WFAVvvlSPyvVfLEacQWXp3+THMdQZ6PLEKY9bnnGnf5T98f
z8Boam0r0jg3/bQJCPrg8szFJ3s/Ute2MgGmIjUuEZ6LaUAxi8ZNzA==
=zIgb
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.berkeley.edu/>.
Received on Thu May 12 14:12:46 2005
This archive was generated by hypermail 2.1.8 : Thu May 12 2005 - 14:12:47 PDT