>Okay, maybe I should have narrowed the question ... I'm pretty aware of
>where to get copies of BO2K, and where to go for info. What I was asking
>was how in particular does one detect something that could come in many
>different forms (since source code is being released)? Preventative
>measures are good, but I'm also interested in contigency measures.
Since source is released for BO2K, modifying things like packet
characteristics, daemon port, mode of deployment should be trivial, so
scanning for the like seems futile in the long run. What you can do is note
any suspicious services that crop up on your NT box that shouldn't be there.
So I think what's needed is probably something along the lines of an
host-based IDS, AV, or network scanner which captures an image of a clean
system's network port profile, ie. which ports it listens to. I know I do
this on a regular basis by just issuing a "netstat -an | grep LISTENING"
(sorry for mixing a unix tool with an NT example, but you get my drift).
Probably a simple script file would probably do the trick, something along
the lines of:
if first_run
then
`netstat -an > clean.image`
else
diff `netstat -an` clean.image
You get the idea. The only way this could be a bit more thorough is to
actually check if an existing daemon was not subverted, ie. check to see if
a valid DNS did not get replaced by a BO2K listening on port 53.
--
Gene Lee
[EMAIL PROTECTED]
[EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
