http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
Cisco TAC I'm sure could also help. The link above has all of the #'s
world wide for 24/7 support.
Tim
-Original Message-
From: Vachon, Scott [mailto:[EMAIL PROTECTED]
Sent: Thursday, July 31, 2003 10:52 AM
To: [EMAIL PROTECTE
Not sure if this is understood or not. If someone wanted to hijack that
ipi address, they would have to control a computer on the same network
as that ip address. Otherwise packets they wanted to receive (to the
hijacked address) would go to the wrong network. With TCP, that means
they cannot ev
I did state in my first mail that it was the pixes that were controlling the
vpn/encryption, but I may not have been clear. So there it is again. :)
Anyway, the 2 versions that we tried to upgrade to are:
c820-k9osy6-mz.12.3-1a (24/8) and
12.2(15)T4/5
Currently we are running:
12.2 (sorry this
I had a similar situation, but rather than using openBSD found Astero
(http://www.astero.com). The firewall runs on a hardened Linux kernel, and
you can add Kapersky AV is so desired for a nominal sum (or free, if you
participate actively in Astero's power users forum.) The firewall can be
downlo
The backdoor could easily only accept connections from non local sources, or
a specific source. It's probably easier to just run netstat, lsof, etc.
from a clean. trusted media... or also boot into single user mode from a
trusted kernel image. In fact, you should always have trusted kernel images
Check out http://www.spywareinfo.com and http://www.wilders.org.
SpuwareBlaster and SpywarewareGuard are a nice little pair of freeware
utilities that will prevent them from installing in the first place, and -
if already installed - can usually disable them.
AdAware and SpyBot Search and Destroy
Adam,
Question: (surprised nobody asked)
What is doing the VPN the routers or the PIX's?
I'm sure we are all assuming that it's the PIX's
-James
Everyone else (who is involved and or want's to jump in)...update your
subject line to clearly identify this new offshoot thread
At 12:59
Hi,
I am just writing back to the list since I received a lot of the replys
directly and wanted to make sure the information was shared.
Unanimous opinions going for PGP disk (http://www.pgpi.org), so I guess that
made it all easy for us.
Thanks to all,
--
Ricardo Oliva
Labs Systems Administ
In the particular thing, use the program of SecurStart, DriveCryp and
DriveCrypt Bonus Pack.
which have given me exelentes.
you can get them to prove them from the one it Emulates.
Alcides
Developer of systems
-Mensaje original-
De: Birl [mailto:[EMAIL PROTECTED]
Enviado el: Jueves,
I saw some people talking about rootkits that hidden process/ports.
One think that i always do to see what ports are open is to run this
perl script:
use IO::Socket;
for($i=0;$i<=6;$i++)
{
$server[$i] = IO::Socket::INET->new(
Proto => 'tcp',
LocalPort => $i,
On Thursday, July 31, 2003 at 4:52 PM, Scott wrote:
> This is totally up to the ISP itself. They may have had the block
> previously allocated to something else that they did reverse DNS for.
> They may also do reverse DNS for sanity sake. Lots of ISPs give a
> location and other information as
On Thursday, July 31, 2003 at 5:23 PM, Edward wrote:
> IP Allocation has nothing to do with which IPs are being used.
Understood.
> This is the right thing (even if I'm not useing any of those IPs) because
> for a set period of time those IPs are my 'property' they are not IPs that
> are avail
>Background:
>We have a Cisco 827 router and a PIX 506e locally. Router being in front of
>the PIX. We also have a co-location facility that we are connected via a
>constant VPN tunnel. There we have a PIX 515e. The two pixes are what
>control the VPN/encryption.
>So we upgraded the router to
Hi Adam,
This sounds like an interesting problem. Please could you send details of
the cheat sheet and the versions of IOS that you upgraded to? My thoughts
are that you may have created an access list that denied the protocols
needed for your VPN tunnel, these being IKE and IPSEC. With access
Its means that you have an rootkit installed and it is hidding some
process. Its doesnt mean that your ps or netstat has been trojaned...
Dbc
>On Thu, 2003-07-31 at 09:18, Meritt James wrote:
> As a couple of untried thoughts, is 'ps' itself corrupted? Will you get
> the reight thing with full-p
In-Reply-To: <[EMAIL PROTECTED]>
I think someone else mentioned this in their post as well. Some of these
firewalls (zone alarm excluded) for windows have a tendency to 'alter' (?)
winsock. And your TCP/IP settings. You may want to erase your tcp/ip
settings in network configuration and just re
As it was written on Jul 31, thus Chance Orr spake unto [EMAIL PROTECTED]:
Chance: Date: 31 Jul 2003 04:41:15 -
Chance: From: Chance Orr <[EMAIL PROTECTED]>
Chance: To: [EMAIL PROTECTED]
Chance: Subject: What does this mean??? Event Log Scan
Chance:
Chance:
Chance:
Chance: 07/30/2003 23:
My network consultant is the one who has the cheat sheet now, but all that
was on there was how to upgrade the IOS. No other commands or anything. If
my memory serves me right, all that was on there was:
copy tftp flash
At that point it starts the flash process. When it's done, just reboot
On Wed, Jul 30, 2003 at 05:28:22PM -0400, Vlady wrote:
> Hi,
> One of my mashines is hacked and chkrootkit-0.40 tells me that I have 3
> proccess hidden from "ps". All of my system binaries looks like beeing clean.
> Using "netstat" I can see that there is not a lisenning servise other than the
>
David
I totally agree with your concept.
! Thanks to all who has responded.!
David Gillett wrote:
Outsourcing is a good strategy for businesses with lots of
cash (...) to consider as an alternative to developing in-house
expertise in areas that lie away from their "core competencies".
I don't
Hi-
Is chkrootkit the reason you believe you box was hacked? If so, please
check the chrootkit site at http://www.chkrootkit.org They have a mailing
list I don't have access to right now but there was a bit of conversation
about false positives.
Kevin Johnson
-Original Message-
From
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Subject about says it all. I can't get to chkrootkit.org to report the bug I
found. Seems that Bind (with threads) under the latest 2.6.x Linux kernel
makes the latest chkrootkit think that there are hidden processes. Something
to do with named usin
It looks like part of the boot sequence.
However, have you done pen-testing on your PC to see if your firewall is
working and do you have any inspiring cracker kiddies at home?
Regards,
Greg DeGennaro Jr., CCNP
Security Analyst
-Original Message-
From: Chance Orr [mailto:[EMAIL PROTECT
On Wed, 2003-07-30 at 19:02, [EMAIL PROTECTED] wrote:
> Is there any method to eliminate all the netbios traffic, and, at the same time, the
> machine can still share resources and map drive?
I've set my firewall to simply ignore traffic to ports 137 and 139. That
seems to work with a Cisco PIX,
This happens when a Windows 2000 machine cannot contact a DNS or DHCP
server, Windows then assigns the 169.254 address if it cannot contact a DHCP
server to renew the DHCP assigned address.
-Original Message-
From: stephen at unix dot za dot net [mailto:[EMAIL PROTECTED]
Sent: Thursday, Ju
For a while it was common for some servers to reject connections
from IP addresses that didn't resolve via reverse DNS(*). Since
delegating reverse DNS along other than Class C boundaries is a
real pain (not impossible, but all 3 ways to do it count as
kludges...), an ISP that does it for an
The horse's mouth:
http://www.iana.org/assignments/port-numbers
> -Original Message-
> From: stephen at unix dot za dot net [mailto:[EMAIL PROTECTED]
> Sent: July 30, 2003 23:54
> To: Jason Armstrong
> Cc: '[EMAIL PROTECTED] '
> Subject: RE: source LAN port 137 dest 169.x
>
>
>
> cat
I just joined this list so I haven't seen the whole thread on this issue,
thus my company's particular issue may have been discussed already, but I
thought I would see if I could get some help anyway.
Background:
We have a Cisco 827 router and a PIX 506e locally. Router being in front of
the PIX.
Do those unused ip addresses point anywhere??? i.e. if you type them into a
browser, to they load up a web page or do they just not go anywhere??? I
would imagine if they sold you a block of ip addresses, they have a script
that'll generate all the dns entries for them and someone just screwed up
IP Allocation has nothing to do with which IPs are being used.
What the IP allocation from ARIN/RIPE/APNIC/LANIC does is give you right
to use those IP addresses which should (in theory) be routable to you
(depending of course on things like who your internet provider is).
To use your example. Sa
07/30/2003 23:49:02 612 Audit Policy Change Success audit Critical
Security SYSTEM xx
07/30/2003 23:49:02 540 Successful Network Logon Success audit Critical
Security ANONYMOUS LOGON xx
07/30/2003 23:49:24 680 Account Used for Logon Failure audit Critical
Security SYSTEM
Outsourcing is a good strategy for businesses with lots of
cash (...) to consider as an alternative to developing in-house
expertise in areas that lie away from their "core competencies".
I don't think it's a big stretch, though, to recognize that
Security and Trust are, or should be, a bank's
As it was written on Jul 30, thus Vlady spake unto [EMAIL PROTECTED]:
vlady: Date: Wed, 30 Jul 2003 17:28:22 -0400
vlady: From: Vlady <[EMAIL PROTECTED]>
vlady: To: [EMAIL PROTECTED]
vlady: Subject: hidden processes
vlady:
vlady: Hi,
vlady: One of my mashines is hacked and chkrootkit-0.40 te
This is totally up to the ISP itself. They may have had the block
previously allocated to something else that they did reverse DNS for.
They may also do reverse DNS for sanity sake. Lots of ISPs give a
location and other information as to where the IP is allocated. For
instance, comcast has: 68
It may depend on the kind of ISP you're dealing with. DSL/Cable
providers seem to assigning generic DNS entries such as
host01.client.com, host02.client.com, etc for every IP address in a
block. I believe most ISP's offering leased lines will do the same
however they will usually change the DNS ent
There is a list of unpatched IE security holes
http://www.pivx.com/larholm/unpatched/ There
are currently 19 unpatched vulnerabilities.
Be protected - use Mozilla!
---
--
> Is there any method to eliminate all the netbios traffic,
> and, at the same time, the machine can still share resources
> and map drive?
"Windows File Sharing" uses NetBIOS as its transport. If you
need it to work, there will be NetBIOS traffic.
David Gillett
> -Original Message
You can try to use the lsof command and check between your ps output.
You cant also check in your /proc filesystem.
If you have another server with the same OS version, you can try to do
an md5sum on your ps and netstat command. This will show you if those
command have been modify by the hacker...
As it was written on Jul 30, thus Ricardo Oliva spake unto [EMAIL PROTECTED]:
Ricardo: Date: Wed, 30 Jul 2003 10:29:24 -0700
Ricardo: From: Ricardo Oliva <[EMAIL PROTECTED]>
Ricardo: To: [EMAIL PROTECTED]
Ricardo: Subject: Encrypted File Systems
Ricardo:
Ricardo: Hi,
Ricardo:
Ricardo: I am j
I'm guessing you're looking into a pretty much automatic, hey i put in my
password at login so don't even make it appear as though my files are
encrypted. in terms of efs, a quick google search gives a lot of "windows
efs gets thumbs up"...take 10 minutes to search the right thing and it's
covered
As a couple of untried thoughts, is 'ps' itself corrupted? Will you get
the reight thing with full-path specification? And you may want to
(briefly - it is a space hog) turn on process accounting and take a look
at that.
BTW: What does "hidden from ps" mean?
Jim
Vlady wrote:
>
> Hi,
> One of
Oh, you guys are no fun at all.
The key to a conspiracy theory is that the facts have
to at least marginally support the theory and not
prove it. Just enough evidence to make one paranoid
but not make you want to hide in your fall out
shelter.
This is perfect for a conspiracy, Very large company
A bank is outsourcing? yeah. There may well be privacy and
treasury guidance that restricts what they can do. I recommend
checking.
Jim
pablo gietz wrote:
>
> Sr.
>
> I am the Security administrator of that Bank, and the "management"
> wants to give hosting to some ISP (friend of them)
cat /etc/services |grep
:)
On Tue, 29 Jul 2003, Jason Armstrong wrote:
> Also, check out this great site:
>
> http://www.networksorcery.com/enp/protocol/ip/ports0.htm
>
> It has a listing of all of the well-known ports.
>
> Port 137 is NETBIOS.
>
> Jason
>
>
>
> -Original Message-
Hi,
I've googled but haven't really come across anything that answers my
questions. Is it common practice for ISPs to allocate a block of
addresses to a customer and put in DNS records for ones that are
unused?
For example, xxx.8-xxx.15 is assigned to the customer. Customer uses
xxx.9 for the r
On 2003-07-29 David Gillett wrote:
> Routing decisions are made by examining one possibility at a time;
> once a match has been found, the rest of the routes need not be
> examined. So the presence of multiple candidate matches doesn't
> interfere with the process at all.
[...]
> The example of th
Hi all,
In Control Panel->Network->Bindings tab->Select "all services", after disabling
"NetBIOS Interface" service, netbios traffic still exists after running some software.
The netbios traffic is observed by the Microsoft Network Monitor.
I can only eliminate all the netbios traffic by disabl
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
Where are you trying to ping?
I used sygate firewall once, even when it was disabled I found that
it still blocked and filtered packets :/
I also had mcafee antivirus and I found that after installing a
protocol or installing a new NIC the "inbu
> i'm not sure, but i believe that a lkm is clever enough (ie. very good
> programmed), it can really 'wipe' a file/process/??? from the system, so
> it's hard sometimes to diagnose your server
It really can. I never did it (too lazy :), but the concept of doing it is
rather simple. You create a k
49 matches
Mail list logo