headers
Stephen Wilcox | 1 May 2003 16:20

Xupiter


Has anyone heard for Xupiter storing itself in the memory section of the 
pc, so when it's uninstalled and the computer is rebooted it can reinstall 
itself?

---------------------------------------------------------------------------
FastTrain has your solution for a great CISSP Boot Camp. The industry's most 
recognized corporate security certification track, provides a comprehensive 
prospectus based upon the core principle concepts of security. This ALL INCLUSIVE curriculum utilizes
lectures, case studies and true hands-on utilization 
of pertinent security tools. For a limited time you can enter for a chance 
to win one of the latest technological innovations, the SEGWAY HT. 
Log onto http://www.securityfocus.com/FastTrain-security-basics 
----------------------------------------------------------------------------
Permalink | Reply | 2 comments |
headers
Stephen Entwisle | 1 May 2003 17:53
Picon
Favicon

SecurityFocus Article Announcement


The following articles are now available on the SecurityFocus site:

Honeypots: Simple, Cost-Effective Detection

By Lance Spitzner

This is the fourth article in an ongoing series on honeypots. This article
will examine the role of honeypots in detection.

http://www.securityfocus.com/infocus/1690

RIAA messaging gambit faces countermeasures

By  Kevin Poulsen

Peer-to-peer techies use IP blacklists and specialty software to deal with
copyright police.

http://www.securityfocus.com/news/4359

Stephen Entwisle
Moderator, Security-Basics
SecurityFocus
http://www.securityfocus.com
(403) 261-5417

---------------------------------------------------------------------------
FastTrain has your solution for a great CISSP Boot Camp. The industry's most 
recognized corporate security certification track, provides a comprehensive
(Continue reading)

Permalink | Reply | 0 comments |
headers
Imran K | 1 May 2003 18:59

Types of VPNs

Greetings, 

I am looking for conceptual pointers about VPNs.

Things like,

(1)Types of VPNs, (2) Difference in both types of tunnels (AH/ESP), (3) difference in implentation and
their behavior in a production environment for both types of VPNs, (4) Single tunnel v split tunnel and can
this be implemented in both type of tunnels?

If some out there could give me some pointers that will be very helpful

Cheers, 

I

Need a new email address that people can remember
Check out the new EudoraMail at
http://www.eudoramail.com

---------------------------------------------------------------------------
FastTrain has your solution for a great CISSP Boot Camp. The industry's most 
recognized corporate security certification track, provides a comprehensive 
prospectus based upon the core principle concepts of security. This ALL INCLUSIVE curriculum utilizes
lectures, case studies and true hands-on utilization 
of pertinent security tools. For a limited time you can enter for a chance 
to win one of the latest technological innovations, the SEGWAY HT. 
Log onto http://www.securityfocus.com/FastTrain-security-basics 
----------------------------------------------------------------------------
(Continue reading)

Permalink | Reply | 2 comments |
headers
Mark Maher | 1 May 2003 20:32
Favicon

Re: Xupiter

Xupiter is nasty stuff. Use Spybot (http://security.kolla.de/) to
eliminate. Ad-aware has not been updated in a while, and the last time I
tried it, it did not detect Xupiter (Spybot did). Here's a few links to
further explore:
http://www.doxdesk.com/parasite/Xupiter.html

http://www.spywareinfo.com/newsletter/archives/september-2002/09212002.php

http://www.alanluber.com/pcfearfactor/officialxupiterpage.htm

http://www.pchell.com/support/xupiter.shtml

http://www.wired.com/news/infostructure/0,1377,57467,00.html

>>> Stephen Wilcox <Stephenwilcox <at> universalcomputersys.com> 05/01/03
09:20AM >>>

Has anyone heard for Xupiter storing itself in the memory section of
the 
pc, so when it's uninstalled and the computer is rebooted it can
reinstall 
itself?

---------------------------------------------------------------------------
FastTrain has your solution for a great CISSP Boot Camp. The industry's
most 
recognized corporate security certification track, provides a
comprehensive 
prospectus based upon the core principle concepts of security. This ALL
INCLUSIVE curriculum utilizes lectures, case studies and true hands-on
(Continue reading)

Permalink | Reply | 0 comments |
headers
Dave | 2 May 2003 09:48
Picon

Re: rogue IP address

Hi, 
    I do not know your switch, or your network layout, but generic method 
which works in most cases is to set up a fast/"large data size" ping to said 
IP address. 

Look for the fastest blinking light. 

I know it is not scientific, and probably offends some people but it does 
work. (For up to a few hundred ports).

- Assumes flat network.
- Better to do it at a 'quiet' time, the effect is more noticeable
- Assumes that you are aware of your important ports (servers/routers etc.) 
which normally have high load anyway.
- Do NOT do it if network performance is critical, you can overload the best 
of switches with ICMP.
- Maybe there are a few ports which look like possibilities, but at least you 
have narrowed them down. 

/Dave

On Thursday 01 May 2003 00:40, dondon <at> pacbell.net wrote:
> Someone on our network assigned an IP address to their own system without
> my knowledge.  Using LANguard network scanner, the best I can tell is that
> it's a Linux box.  The port-to-IP mapping table on our Asante switch
> doesn't see to work correctly.
>
> Any suggestions on tracing down that system that is associated with the IP
> is appreciated!
>
(Continue reading)

Permalink | Reply | 3 comments |
headers
Mark G. Spencer | 2 May 2003 17:54

GUI's for Win32 Snort?

I'm looking for comments on GUI's for the Win32 port of Snort.  After
searching Usenet, it seems that Demarc is (was?) the best tool for this, but
I noticed the Demarc folder on the Snort website is empty.  Apparently ACID
has a few prerequisites.

Are there any GUI's that will work with a default installation (non-MySql)
of Win32 Snort?

Thanks!

Mark

---------------------------------------------------------------------------
FastTrain has your solution for a great CISSP Boot Camp. The industry's most 
recognized corporate security certification track, provides a comprehensive 
prospectus based upon the core principle concepts of security. This ALL INCLUSIVE curriculum utilizes
lectures, case studies and true hands-on utilization 
of pertinent security tools. For a limited time you can enter for a chance 
to win one of the latest technological innovations, the SEGWAY HT. 
Log onto http://www.securityfocus.com/FastTrain-security-basics 
----------------------------------------------------------------------------
Permalink | Reply | 6 comments |
headers
Richard Caley | 1 May 2003 19:30
Picon

Re: rogue IP address

In article <20030430224002.18480.qmail <at> www.securityfocus.com>, dondon  (d) writes:

d> Any suggestions on tracing down that system that is associated with the IP 
d> is appreciated!

Well, to be old fashoned, start a ping, then pull and replace plugs
until you spot the one which causes the ping to miss a beat. You
should be able to walk down a tree of hubs/switches like that in less
time than working out a smarter plan.

Great big signs at all staff toilets threatening mayhem to whoever it
is if they don't own up within the week.

If it's a fairly out-of-the-box linux instalation it may be running
sendmail, which may give you a way to contact the person responsible
if they read mail sent to root.

Perhaps you can block that IP at some firewall or router, then wait to
see who calls support to say their network connection has died.

If you can sniff packets, perhaps you can spot what they are doing, if
so that may give a clue who they are, or at least a clue as to
services they are using. From there you could, for instance, tell a
file server they are using to reject connections from that IP and
again wait for them to complain.

The fun story-to-tell-in-the-pub way would be to find out what sort of
linux it is, find a recent security report and crack the
machine. Probably not worth the effort, but nice to think about when
pulling plugs and planning the mayhem to apply when you find them.
(Continue reading)

Permalink | Reply | 0 comments |
headers
Burton M. Strauss III | 2 May 2003 00:39
Picon
Favicon

RE: rogue IP address

Sometimes, the alert from the LAN management software can be enough - if it
shows the MAC addresses involved.  For example, if it's a D-Link MAC
address - see the OUI list at the IEEE - and all you have are 3Com NICs,
well, the hardware probably won't look like any of your other machines
either and may stand out to a visual audit (that's IT speak for walking
around being nosy poking you head into cubicles and offices looking for
hardware you don't recognize).

Thoughts...

Program the switch to drop that IP address - see who screams.  If the switch
won't do it for you, you may have to get brutish here - build a transparent
filtering bridge and drop the packets that way.

Try using tcpdump to see if you can sniff the packet streams and run
something like strings on it.  It may give you login names etc. that you
recognize.

tcpdump -w x.raw -c50
strings x.raw | grep USER
strings x.raw | grep PASS   (Since people use their mail address for
anonymous ftp)

etc.

(This one is a real PITA, but it works - I've done it successfully)  On the
weekend, unplug each of your backbone switch segments, one at a time and see
when the rogue drops off the network.  Then follow it down to (ultimately) a
single LAN segment and thence to a specific physical port.  Remove said box
and ransom it back at the cost of an agreement to play nice in the future.
(Continue reading)

Permalink | Reply | 0 comments |
headers
Jose Guevarra | 1 May 2003 19:19
Picon

RE: rogue IP address


  If you can ping it with a machine on the same subnet/broadcast domain you
can check your ARP tables for the IP to MAC mapping.  I'm not familiar with
Asante switches but, hopefully they can tell what port a certain MAC address
is located on.

 I actually have all my machines register their MAC addresses before I
assign an IP. I've written a script that scans class C subnets and the
parses the ARP tables for new or un-registerd MAC addresses. I can then
trace them back using our HP 4000/8000 switches.

HTH

* Can someone help me with the details here.

  - What topology is needed for one machine to see and store another's MAC.
Do you need some sort of physical or virtual(VLANS) 'device' that transports
ARP packets?  How does that fit into Class C subnets and do other subnet
types allow for OSI Layer 1 and 2 traffic.

 Please excuse my ignorance and bad wording in the matter.

thanx,

-----Original Message-----
From: dondon <at> pacbell.net [mailto:dondon <at> pacbell.net] 
Sent: Wednesday, April 30, 2003 3:40 PM
To: security-basics <at> securityfocus.com
Subject: rogue IP address
(Continue reading)

Permalink | Reply | 0 comments |
headers
SMiller | 1 May 2003 19:03

Re: dispatcher.aspx


Have you run Ad-Aware? A Google search on just "dispatcher.apsx" yields
results at 2 sites. 1 is "cermet.net", which appears to be an Italian Q/C
certification outfit of some sort. The second site "vajlugkub.com", looks
suspiciously like a spammer's site to me.

-Scott Miller
Tune into FOX Network - the official organ of the Ministry of Homeland
Security

                                                                                                                           
                      Jeff Harris                                                                                          
                      <jharris <at> tahongaw        To:       security-basics <at> securityfocus.com                                 
                      aka.nu>                  cc:                                                                         
                                               Subject:  dispatcher.aspx                                                   
                      04/30/2003 05:45                                                                                     
                      PM                                                                                                   

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I was checking my log files for my linux webserver/router/firewall/NAT,
and noticed that my Win2K machine (internal network) was pounding the
webserver for http://myurl/internal/dispatcher.aspx

This only happpened on Friday, at the rate of about 3 times a minute, and
only from the Win2K machine. A Check of Google, Symantec and McAfee don't
yield any results. Does anyone have any insights as to what might be
causing this?
(Continue reading)

Permalink | Reply | 501 comments |

Gmane