Re: [Nolug] Catching a worm?

From: Dennis Bourn <dbourn_at_clkenergy.com>
Date: Fri, 28 Mar 2008 15:08:44 -0500
Message-ID: <47ED504C.406@clkenergy.com>

Chris Jones wrote:
> I was curious what you guys do when you encounter a client that has a
> network worm, but you don't know whose computer has the infection. I
> have a client who keeps getting calls from Cox, stating that there is
> a computer on their network that is sending out tons of spam. Two
> months ago at the meeting we were playing with Cain & Abel, which can
> do ARP poisoning. And although it's an amazingly powerful piece of
> software, it seems to unfortunately be useful for only black hat
> hacking (password stealing)... There's also Ethereal/Wireshark, but
> it seems to be useless on a switched network, unless you can find an
> old crappy hub to put it on, between the switch and the router. I
> honestly don't even know if we have a hub anywhere around here. There
> are some commercial products out there made for this, but they seem to
> start at around $2000. I was just wondering if anybody knew of
> anything good that was open source. ARP poisoning would be a nice
> feature, but I'm guessing that might only be a feature on the black
> hat tools. ;) There are some things like Nessus and Zenoss, but are
> those just for SNMP monitoring? They probably won't sniff for worm
> traffic. I might look into Untangle and see if it offers that
> ability...but I figured I'd see if you guys know of anything else?
> Thanks!
Try Dsniff. A tool included with it is mailsnarf. It should do just what
you need. Or,.. you can try an ethernet probe. Ive got an old Nortel web
pocket probe that will tell you which workstations were chattiest on
which ports with pretty graphs. It connects inline on your gateway,
10/100m ethernet.
___________________
Nolug mailing list
nolug@nolug.org
Received on 03/28/08

This archive was generated by hypermail 2.2.0 : 12/19/08 EST