Zombie / Botnet?
|
View:
New views
9 Messages
—
Rating Filter:
Alert me
|
 |
Zombie / Botnet?
by Tony Raboza
::
Rate this Message:
Hi,
One of our workstations is broadcasting a huge amount of UDP traffic (around 5Mbps) and I'm thinking it could be a zombied computer doing DDOS as directed by its controller. But the weird thing is - it has an updated McAfee AV with HIPS ?? Why was this not detected - or could I be reading this wrong? Here's a portion of the tcpdump: 14:00:20.509030 IP 192.168.10.10.smpppd > i.root-servers.net.hpstgmgr: UDP, length 1000 14:00:20.519512 IP 192.168.10.10.iiw-port > 77.91.227.67.4744: UDP, length 1000 14:00:20.520580 IP 192.168.10.10.odi-port > a.root-servers.net.4496: UDP, length 1000 14:00:20.521733 IP 192.168.10.10.brcm-comm-port > b.root-servers.net.4710: UDP, length 1000 14:00:20.523076 IP 192.168.10.10.pcle-infex > c.root-servers.net.826: UDP, length 1000 14:00:20.524186 IP 192.168.10.10.csvr-proxy > d.root-servers.net.3997: UDP, length 1000 14:00:20.525251 IP 192.168.10.10.csvr-sslproxy > E.ROOT-SERVERS.NET.funk-license: UDP, length 1000 14:00:20.526385 IP 192.168.10.10.firemonrcc > f.root-servers.net.sonuscallsig: UDP, length 1000 14:00:20.527798 IP 192.168.10.10.spandataport > G.ROOT-SERVERS.NET.4130: UDP, length 1000 14:00:20.528794 IP 192.168.10.10.magbind > h.root-servers.net.atmtcp: UDP, length 1000 14:00:20.529947 IP 192.168.10.10.ncu-1 > i.root-servers.net.direcpc-dll: UDP, length 1000 14:00:20.537027 IP 192.168.10.10.ncu-2 > 77.91.227.67.audit-transfer: UDP, length 1000 14:00:20.538422 IP 192.168.10.10.embrace-dp-s > 77.91.227.67.bluelance: UDP, length 1000 14:00:20.538712 IP 192.168.10.10.embrace-dp-c > a.root-servers.net.embrace-dp-s: UDP, length 1000 14:00:20.540010 IP 192.168.10.10.dmod-workspace > b.root-servers.net.bvcontrol: UDP, length 1000 14:00:20.540208 IP 192.168.10.10.tick-port > a.root-servers.net.925: UDP, length 1000 14:00:20.541412 IP 192.168.10.10.cpq-tasksmart > b.root-servers.net.bnt-manager: UDP, length 1000 14:00:20.541756 IP 192.168.10.10.intraintra > c.root-servers.net.864: UDP, length 1000 14:00:20.542941 IP 192.168.10.10.netwatcher-mon > c.root-servers.net.sbi-agent: UDP, length 1000 14:00:20.544113 IP 192.168.10.10.netwatcher-db > d.root-servers.net.4467: UDP, length 1000 14:00:20.544400 IP 192.168.10.10.isns > d.root-servers.net.4245: UDP, length 1000 14:00:20.545444 IP 192.168.10.10.ironmail > E.ROOT-SERVERS.NET.2374: UDP, length 1000 == Its sending UDP traffic to the root nameservers .... Any ideas? Thanks. Best, Tony ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------ |
|
|
RE: Zombie / Botnet?
by Barry Raveendran Greene
::
Rate this Message:
The dirty secret that the people are not letting you know is that anti-virus
obsolete. The people who build and deploy malware know how to obfuscate the code so that anti-virus does not pick it up. The really lame "bad guys" will obfuscate once a week - requiring the anti-virus team to deploy a new sig once a week. The really good bad guys will obfuscate ever 15 minutes - using the same malware package as the "lame" bad guys. Note, might be malware command and control. See if there is any DNS. If you see really weird queries (like teraazxi.(somedomain).(some TLD)) then it is a BOT talking to a controller. For remediation - I have my own list I build that is based on this work: http://home.comcast.net/~SupportCD/MalwareRemoval.html You sometimes have to tune it to the specific malware (using different clean up tools). > -----Original Message----- > From: listbounce@... > [mailto:listbounce@...] On Behalf Of Tony Raboza > Sent: Tuesday, November 10, 2009 4:05 AM > To: security-basics@... > Subject: Zombie / Botnet? > > Hi, > > One of our workstations is broadcasting a huge amount of UDP traffic > (around 5Mbps) and I'm thinking it could be a zombied computer doing > DDOS as directed by its controller. But the weird thing is - it has > an updated McAfee AV with HIPS ?? Why was this not detected - or > could I be reading this wrong? Here's a portion of the tcpdump: > > 14:00:20.509030 IP 192.168.10.10.smpppd > i.root-servers.net.hpstgmgr: > UDP, length 1000 > 14:00:20.519512 IP 192.168.10.10.iiw-port > 77.91.227.67.4744: UDP, > length 1000 > 14:00:20.520580 IP 192.168.10.10.odi-port > a.root-servers.net.4496: > UDP, length 1000 > 14:00:20.521733 IP 192.168.10.10.brcm-comm-port > > b.root-servers.net.4710: UDP, length 1000 > 14:00:20.523076 IP 192.168.10.10.pcle-infex > c.root-servers.net.826: > UDP, length 1000 > 14:00:20.524186 IP 192.168.10.10.csvr-proxy > d.root-servers.net.3997: > UDP, length 1000 > 14:00:20.525251 IP 192.168.10.10.csvr-sslproxy > > E.ROOT-SERVERS.NET.funk-license: UDP, length 1000 > 14:00:20.526385 IP 192.168.10.10.firemonrcc > > f.root-servers.net.sonuscallsig: UDP, length 1000 > 14:00:20.527798 IP 192.168.10.10.spandataport > > G.ROOT-SERVERS.NET.4130: UDP, length 1000 > 14:00:20.528794 IP 192.168.10.10.magbind > h.root-servers.net.atmtcp: > UDP, length 1000 > 14:00:20.529947 IP 192.168.10.10.ncu-1 > > i.root-servers.net.direcpc-dll: UDP, length 1000 > 14:00:20.537027 IP 192.168.10.10.ncu-2 > 77.91.227.67.audit-transfer: > UDP, length 1000 > 14:00:20.538422 IP 192.168.10.10.embrace-dp-s > > 77.91.227.67.bluelance: UDP, length 1000 > 14:00:20.538712 IP 192.168.10.10.embrace-dp-c > > a.root-servers.net.embrace-dp-s: UDP, length 1000 > 14:00:20.540010 IP 192.168.10.10.dmod-workspace > > b.root-servers.net.bvcontrol: UDP, length 1000 > 14:00:20.540208 IP 192.168.10.10.tick-port > a.root-servers.net.925: > UDP, length 1000 > 14:00:20.541412 IP 192.168.10.10.cpq-tasksmart > > b.root-servers.net.bnt-manager: UDP, length 1000 > 14:00:20.541756 IP 192.168.10.10.intraintra > c.root-servers.net.864: > UDP, length 1000 > 14:00:20.542941 IP 192.168.10.10.netwatcher-mon > > c.root-servers.net.sbi-agent: UDP, length 1000 > 14:00:20.544113 IP 192.168.10.10.netwatcher-db > > d.root-servers.net.4467: UDP, length 1000 > 14:00:20.544400 IP 192.168.10.10.isns > d.root-servers.net.4245: UDP, > length 1000 > 14:00:20.545444 IP 192.168.10.10.ironmail > E.ROOT-SERVERS.NET.2374: > UDP, length 1000 > > > == > > Its sending UDP traffic to the root nameservers .... > > Any ideas? > Thanks. > > > Best, > Tony > > ----------------------------------------------------------------------- > - > Securing Apache Web Server with thawte Digital Certificate > In this guide we examine the importance of Apache-SSL and who needs an > SSL certificate. We look at how SSL works, how it benefits your > company and how your customers can tell if a site is secure. You will > find out how to test, purchase, install and use a thawte Digital > Certificate on your Apache web server. Throughout, best practices for > set-up are highlighted to help you ensure efficient ongoing management > of your encryption keys and digital certificates. > > http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be44 > 2f727d1 > ----------------------------------------------------------------------- > - ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------ |
|
|
Re: Zombie / Botnet?
by Jay Vlavianos-3
::
Rate this Message:
McAfee is, by no means, a silver bullet. There are various attacks on
the AV product itself that can mask infection and there are other methods of zombification that are not detected via AV. Disable system restore points and reboot to a bootable cd with malware / AV scanning to verify. Massive UDP could be an RTP broadcast but it would not be directed at root servers so your initial thoughts of a ddos are probably correct. -Jay On Nov 10, 2009, at 9:36 AM, "Tony Raboza" <tonyraboza@...> wrote: > Hi, > > One of our workstations is broadcasting a huge amount of UDP traffic > (around 5Mbps) and I'm thinking it could be a zombied computer doing > DDOS as directed by its controller. But the weird thing is - it has > an updated McAfee AV with HIPS ?? Why was this not detected - or > could I be reading this wrong? Here's a portion of the tcpdump: > > 14:00:20.509030 IP 192.168.10.10.smpppd > i.root-servers.net.hpstgmgr: > UDP, length 1000 > 14:00:20.519512 IP 192.168.10.10.iiw-port > 77.91.227.67.4744: UDP, > length 1000 > 14:00:20.520580 IP 192.168.10.10.odi-port > a.root-servers.net.4496: > UDP, length 1000 > 14:00:20.521733 IP 192.168.10.10.brcm-comm-port > > b.root-servers.net.4710: UDP, length 1000 > 14:00:20.523076 IP 192.168.10.10.pcle-infex > c.root-servers.net.826: > UDP, length 1000 > 14:00:20.524186 IP 192.168.10.10.csvr-proxy > d.root-servers.net.3997: > UDP, length 1000 > 14:00:20.525251 IP 192.168.10.10.csvr-sslproxy > > E.ROOT-SERVERS.NET.funk-license: UDP, length 1000 > 14:00:20.526385 IP 192.168.10.10.firemonrcc > > f.root-servers.net.sonuscallsig: UDP, length 1000 > 14:00:20.527798 IP 192.168.10.10.spandataport > > G.ROOT-SERVERS.NET.4130: UDP, length 1000 > 14:00:20.528794 IP 192.168.10.10.magbind > h.root-servers.net.atmtcp: > UDP, length 1000 > 14:00:20.529947 IP 192.168.10.10.ncu-1 > > i.root-servers.net.direcpc-dll: UDP, length 1000 > 14:00:20.537027 IP 192.168.10.10.ncu-2 > 77.91.227.67.audit-transfer: > UDP, length 1000 > 14:00:20.538422 IP 192.168.10.10.embrace-dp-s > > 77.91.227.67.bluelance: UDP, length 1000 > 14:00:20.538712 IP 192.168.10.10.embrace-dp-c > > a.root-servers.net.embrace-dp-s: UDP, length 1000 > 14:00:20.540010 IP 192.168.10.10.dmod-workspace > > b.root-servers.net.bvcontrol: UDP, length 1000 > 14:00:20.540208 IP 192.168.10.10.tick-port > a.root-servers.net.925: > UDP, length 1000 > 14:00:20.541412 IP 192.168.10.10.cpq-tasksmart > > b.root-servers.net.bnt-manager: UDP, length 1000 > 14:00:20.541756 IP 192.168.10.10.intraintra > c.root-servers.net.864: > UDP, length 1000 > 14:00:20.542941 IP 192.168.10.10.netwatcher-mon > > c.root-servers.net.sbi-agent: UDP, length 1000 > 14:00:20.544113 IP 192.168.10.10.netwatcher-db > > d.root-servers.net.4467: UDP, length 1000 > 14:00:20.544400 IP 192.168.10.10.isns > d.root-servers.net.4245: UDP, > length 1000 > 14:00:20.545444 IP 192.168.10.10.ironmail > E.ROOT-SERVERS.NET.2374: > UDP, length 1000 > > > == > > Its sending UDP traffic to the root nameservers .... > > Any ideas? > Thanks. > > > Best, > Tony > > --- > --------------------------------------------------------------------- > Securing Apache Web Server with thawte Digital Certificate > In this guide we examine the importance of Apache-SSL and who needs > an SSL certificate. We look at how SSL works, how it benefits your > company and how your customers can tell if a site is secure. You > will find out how to test, purchase, install and use a thawte > Digital Certificate on your Apache web server. Throughout, best > practices for set-up are highlighted to help you ensure efficient > ongoing management of your encryption keys and digital certificates. > > http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 > --- > --------------------------------------------------------------------- > ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------ |
|
|
Re: Zombie / Botnet?
by Drew Brown
::
Rate this Message:
I'm not able to look into the traffic, but my two thoughts are (1)
McAfee is not perfect and all AV apps miss their share of malware and (2) get that thing off the network immediately. On 11/10/09, Tony Raboza <tonyraboza@...> wrote: > Hi, > > One of our workstations is broadcasting a huge amount of UDP traffic > (around 5Mbps) and I'm thinking it could be a zombied computer doing > DDOS as directed by its controller. But the weird thing is - it has > an updated McAfee AV with HIPS ?? Why was this not detected - or > could I be reading this wrong? Here's a portion of the tcpdump: > > 14:00:20.509030 IP 192.168.10.10.smpppd > i.root-servers.net.hpstgmgr: > UDP, length 1000 > 14:00:20.519512 IP 192.168.10.10.iiw-port > 77.91.227.67.4744: UDP, length > 1000 > 14:00:20.520580 IP 192.168.10.10.odi-port > a.root-servers.net.4496: > UDP, length 1000 > 14:00:20.521733 IP 192.168.10.10.brcm-comm-port > > b.root-servers.net.4710: UDP, length 1000 > 14:00:20.523076 IP 192.168.10.10.pcle-infex > c.root-servers.net.826: > UDP, length 1000 > 14:00:20.524186 IP 192.168.10.10.csvr-proxy > d.root-servers.net.3997: > UDP, length 1000 > 14:00:20.525251 IP 192.168.10.10.csvr-sslproxy > > E.ROOT-SERVERS.NET.funk-license: UDP, length 1000 > 14:00:20.526385 IP 192.168.10.10.firemonrcc > > f.root-servers.net.sonuscallsig: UDP, length 1000 > 14:00:20.527798 IP 192.168.10.10.spandataport > > G.ROOT-SERVERS.NET.4130: UDP, length 1000 > 14:00:20.528794 IP 192.168.10.10.magbind > h.root-servers.net.atmtcp: > UDP, length 1000 > 14:00:20.529947 IP 192.168.10.10.ncu-1 > > i.root-servers.net.direcpc-dll: UDP, length 1000 > 14:00:20.537027 IP 192.168.10.10.ncu-2 > 77.91.227.67.audit-transfer: > UDP, length 1000 > 14:00:20.538422 IP 192.168.10.10.embrace-dp-s > > 77.91.227.67.bluelance: UDP, length 1000 > 14:00:20.538712 IP 192.168.10.10.embrace-dp-c > > a.root-servers.net.embrace-dp-s: UDP, length 1000 > 14:00:20.540010 IP 192.168.10.10.dmod-workspace > > b.root-servers.net.bvcontrol: UDP, length 1000 > 14:00:20.540208 IP 192.168.10.10.tick-port > a.root-servers.net.925: > UDP, length 1000 > 14:00:20.541412 IP 192.168.10.10.cpq-tasksmart > > b.root-servers.net.bnt-manager: UDP, length 1000 > 14:00:20.541756 IP 192.168.10.10.intraintra > c.root-servers.net.864: > UDP, length 1000 > 14:00:20.542941 IP 192.168.10.10.netwatcher-mon > > c.root-servers.net.sbi-agent: UDP, length 1000 > 14:00:20.544113 IP 192.168.10.10.netwatcher-db > > d.root-servers.net.4467: UDP, length 1000 > 14:00:20.544400 IP 192.168.10.10.isns > d.root-servers.net.4245: UDP, > length 1000 > 14:00:20.545444 IP 192.168.10.10.ironmail > E.ROOT-SERVERS.NET.2374: > UDP, length 1000 > > > == > > Its sending UDP traffic to the root nameservers .... > > Any ideas? > Thanks. > > > Best, > Tony > > ------------------------------------------------------------------------ > Securing Apache Web Server with thawte Digital Certificate > In this guide we examine the importance of Apache-SSL and who needs an SSL > certificate. We look at how SSL works, how it benefits your company and how > your customers can tell if a site is secure. You will find out how to test, > purchase, install and use a thawte Digital Certificate on your Apache web > server. Throughout, best practices for set-up are highlighted to help you > ensure efficient ongoing management of your encryption keys and digital > certificates. > > http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 > ------------------------------------------------------------------------ > > -- Sent from my mobile device ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------ |
|
|
|
|
|
Re: Zombie / Botnet?
by Shohn Trojacek
::
Rate this Message:
This reminds me of a few rather hilarious scenarios I recall from
several years ago. Well, hilarious from my point of view at that time. I was performing an audit at that time and was informed by some of the sys admins that AV would take care of whatever spyware problems, etc. they would have. Tried to convince them otherwise. Went out to the field and it was current definitions with happy fun fun spyware/worms as you indicate below. I guess the great wall of China does not always keep the Hun army out. What is even more fun is to connect a vulnerable computer to the Internet through a slower modem connection. It is fun to watch the "slow motion" infection occur real time. On Tue, Nov 10, 2009 at 5:49 PM, Jay Vlavianos <jvlavianos@...> wrote: > McAfee is, by no means, a silver bullet. There are various attacks on > the AV product itself that can mask infection and there are other > methods of zombification that are not detected via AV. > > Disable system restore points and reboot to a bootable cd with > malware / AV scanning to verify. > > Massive UDP could be an RTP broadcast but it would not be directed at > root servers so your initial thoughts of a ddos are probably correct. > > -Jay > > On Nov 10, 2009, at 9:36 AM, "Tony Raboza" <tonyraboza@...> wrote: > >> Hi, >> >> One of our workstations is broadcasting a huge amount of UDP traffic >> (around 5Mbps) and I'm thinking it could be a zombied computer doing >> DDOS as directed by its controller. But the weird thing is - it has >> an updated McAfee AV with HIPS ?? Why was this not detected - or >> could I be reading this wrong? Here's a portion of the tcpdump: >> >> 14:00:20.509030 IP 192.168.10.10.smpppd > i.root-servers.net.hpstgmgr: >> UDP, length 1000 >> 14:00:20.519512 IP 192.168.10.10.iiw-port > 77.91.227.67.4744: UDP, >> length 1000 >> 14:00:20.520580 IP 192.168.10.10.odi-port > a.root-servers.net.4496: >> UDP, length 1000 >> 14:00:20.521733 IP 192.168.10.10.brcm-comm-port > >> b.root-servers.net.4710: UDP, length 1000 >> 14:00:20.523076 IP 192.168.10.10.pcle-infex > c.root-servers.net.826: >> UDP, length 1000 >> 14:00:20.524186 IP 192.168.10.10.csvr-proxy > d.root-servers.net.3997: >> UDP, length 1000 >> 14:00:20.525251 IP 192.168.10.10.csvr-sslproxy > >> E.ROOT-SERVERS.NET.funk-license: UDP, length 1000 >> 14:00:20.526385 IP 192.168.10.10.firemonrcc > >> f.root-servers.net.sonuscallsig: UDP, length 1000 >> 14:00:20.527798 IP 192.168.10.10.spandataport > >> G.ROOT-SERVERS.NET.4130: UDP, length 1000 >> 14:00:20.528794 IP 192.168.10.10.magbind > h.root-servers.net.atmtcp: >> UDP, length 1000 >> 14:00:20.529947 IP 192.168.10.10.ncu-1 > >> i.root-servers.net.direcpc-dll: UDP, length 1000 >> 14:00:20.537027 IP 192.168.10.10.ncu-2 > 77.91.227.67.audit-transfer: >> UDP, length 1000 >> 14:00:20.538422 IP 192.168.10.10.embrace-dp-s > >> 77.91.227.67.bluelance: UDP, length 1000 >> 14:00:20.538712 IP 192.168.10.10.embrace-dp-c > >> a.root-servers.net.embrace-dp-s: UDP, length 1000 >> 14:00:20.540010 IP 192.168.10.10.dmod-workspace > >> b.root-servers.net.bvcontrol: UDP, length 1000 >> 14:00:20.540208 IP 192.168.10.10.tick-port > a.root-servers.net.925: >> UDP, length 1000 >> 14:00:20.541412 IP 192.168.10.10.cpq-tasksmart > >> b.root-servers.net.bnt-manager: UDP, length 1000 >> 14:00:20.541756 IP 192.168.10.10.intraintra > c.root-servers.net.864: >> UDP, length 1000 >> 14:00:20.542941 IP 192.168.10.10.netwatcher-mon > >> c.root-servers.net.sbi-agent: UDP, length 1000 >> 14:00:20.544113 IP 192.168.10.10.netwatcher-db > >> d.root-servers.net.4467: UDP, length 1000 >> 14:00:20.544400 IP 192.168.10.10.isns > d.root-servers.net.4245: UDP, >> length 1000 >> 14:00:20.545444 IP 192.168.10.10.ironmail > E.ROOT-SERVERS.NET.2374: >> UDP, length 1000 >> >> >> == >> >> Its sending UDP traffic to the root nameservers .... >> >> Any ideas? >> Thanks. >> >> >> Best, >> Tony >> >> --- >> --------------------------------------------------------------------- >> Securing Apache Web Server with thawte Digital Certificate >> In this guide we examine the importance of Apache-SSL and who needs >> an SSL certificate. We look at how SSL works, how it benefits your >> company and how your customers can tell if a site is secure. You >> will find out how to test, purchase, install and use a thawte >> Digital Certificate on your Apache web server. Throughout, best >> practices for set-up are highlighted to help you ensure efficient >> ongoing management of your encryption keys and digital certificates. >> >> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 >> --- >> --------------------------------------------------------------------- >> > > ------------------------------------------------------------------------ > Securing Apache Web Server with thawte Digital Certificate > In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. > > http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------ |
|
|
Re: Zombie / Botnet?
by Kurt Buff
::
Rate this Message:
On Tue, Nov 10, 2009 at 04:05, Tony Raboza <tonyraboza@...> wrote:
> Hi, > > One of our workstations is broadcasting a huge amount of UDP traffic > (around 5Mbps) and I'm thinking it could be a zombied computer doing > DDOS as directed by its controller. But the weird thing is - it has > an updated McAfee AV with HIPS ?? Why was this not detected - or > could I be reading this wrong? Here's a portion of the tcpdump: 1) take if off the network. 2) burn a rescue CD and boot the machine with it. I suggest ubcd4win - http://www.ubcd4win.com/howto.htm - an enable the Sunbelt VIPRE and any other plugins (malwarebytes, especially) you deem appropriate to see if you can clean/identify the culprit. I just tried ubcd4win yesterday, and it was dead easy to work with. Excellent tool. There are other good tools, but I just used this one and like it. 3) regardless of whether you clean the machine and/or identify the culprit, save the data, rebuild the box and patch it so that it doesn't get infected again. Personally, I don't like McAfee at all. We switched away from that to the Sunbelt product, and haven't looked back. Kurt ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------ |
|
|
RE: Zombie / Botnet?
by Murda Mcloud
::
Rate this Message:
77.91.227.67
Is this in Russia? According to some lookups/tracert, it might be. This in no way confirms whether it's one of the living dead...but still. Do you know what this is? netwatcher-mon Looks like some kind of network monitor but was it put there by you/the company? Cheers > >-----Original Message----- > >From: listbounce@... [mailto:listbounce@...] > >On Behalf Of Tony Raboza > >Sent: Tuesday, November 10, 2009 10:05 PM > >To: security-basics@... > >Subject: Zombie / Botnet? > > > >Hi, > > > >One of our workstations is broadcasting a huge amount of UDP traffic > >(around 5Mbps) and I'm thinking it could be a zombied computer doing > >DDOS as directed by its controller. But the weird thing is - it has > >an updated McAfee AV with HIPS ?? Why was this not detected - or > >could I be reading this wrong? Here's a portion of the tcpdump: > > > >14:00:20.509030 IP 192.168.10.10.smpppd > i.root-servers.net.hpstgmgr: > >UDP, length 1000 > >14:00:20.519512 IP 192.168.10.10.iiw-port > 77.91.227.67.4744: UDP, > >length 1000 > >14:00:20.520580 IP 192.168.10.10.odi-port > a.root-servers.net.4496: > >UDP, length 1000 > >14:00:20.521733 IP 192.168.10.10.brcm-comm-port > > >b.root-servers.net.4710: UDP, length 1000 > >14:00:20.523076 IP 192.168.10.10.pcle-infex > c.root-servers.net.826: > >UDP, length 1000 > >14:00:20.524186 IP 192.168.10.10.csvr-proxy > d.root-servers.net.3997: > >UDP, length 1000 > >14:00:20.525251 IP 192.168.10.10.csvr-sslproxy > > >E.ROOT-SERVERS.NET.funk-license: UDP, length 1000 > >14:00:20.526385 IP 192.168.10.10.firemonrcc > > >f.root-servers.net.sonuscallsig: UDP, length 1000 > >14:00:20.527798 IP 192.168.10.10.spandataport > > >G.ROOT-SERVERS.NET.4130: UDP, length 1000 > >14:00:20.528794 IP 192.168.10.10.magbind > h.root-servers.net.atmtcp: > >UDP, length 1000 > >14:00:20.529947 IP 192.168.10.10.ncu-1 > > >i.root-servers.net.direcpc-dll: UDP, length 1000 > >14:00:20.537027 IP 192.168.10.10.ncu-2 > 77.91.227.67.audit-transfer: > >UDP, length 1000 > >14:00:20.538422 IP 192.168.10.10.embrace-dp-s > > >77.91.227.67.bluelance: UDP, length 1000 > >14:00:20.538712 IP 192.168.10.10.embrace-dp-c > > >a.root-servers.net.embrace-dp-s: UDP, length 1000 > >14:00:20.540010 IP 192.168.10.10.dmod-workspace > > >b.root-servers.net.bvcontrol: UDP, length 1000 > >14:00:20.540208 IP 192.168.10.10.tick-port > a.root-servers.net.925: > >UDP, length 1000 > >14:00:20.541412 IP 192.168.10.10.cpq-tasksmart > > >b.root-servers.net.bnt-manager: UDP, length 1000 > >14:00:20.541756 IP 192.168.10.10.intraintra > c.root-servers.net.864: > >UDP, length 1000 > >14:00:20.542941 IP 192.168.10.10.netwatcher-mon > > >c.root-servers.net.sbi-agent: UDP, length 1000 > >14:00:20.544113 IP 192.168.10.10.netwatcher-db > > >d.root-servers.net.4467: UDP, length 1000 > >14:00:20.544400 IP 192.168.10.10.isns > d.root-servers.net.4245: UDP, > >length 1000 > >14:00:20.545444 IP 192.168.10.10.ironmail > E.ROOT-SERVERS.NET.2374: > >UDP, length 1000 > > > > > >== > > > >Its sending UDP traffic to the root nameservers .... > > > >Any ideas? > >Thanks. > > > > > >Best, > >Tony > > > >------------------------------------------------------------------------ > >Securing Apache Web Server with thawte Digital Certificate > >In this guide we examine the importance of Apache-SSL and who needs an > >SSL certificate. We look at how SSL works, how it benefits your company > >and how your customers can tell if a site is secure. You will find out > >how to test, purchase, install and use a thawte Digital Certificate on > >your Apache web server. Throughout, best practices for set-up are > >highlighted to help you ensure efficient ongoing management of your > >encryption keys and digital certificates. > > > >http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f > >727d1 > >------------------------------------------------------------------------ ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------ |
|
|
|
| Free embeddable forum powered by Nabble | Forum Help |
