Re: [Nolug] Catching a worm?

From: Chris Jones <techmaster_at_gmail.com>
Date: Thu, 10 Apr 2008 14:09:42 -0500
Message-ID: <945e1c690804101209s1a4de4a4s9422742edd678130@mail.gmail.com>

Something weird... I made 2 more of these taps, and something we're seeing
with them, is you put the data cables through their ports, and everything is
fine. The network can get to the internet just fine. But, as soon as you
plug in an ethernet cable into one of the tap ports, suddenly the internet
dies. But, as soon as the other end of that cable gets plugged into a
laptop or something, the internet starts working again. If you plug the
cable into the other port, it doesn't affect anything no matter what. But
it sniffs great. For these two, I used un-numbered jacks, the punchdown on
the jack is just color coded. The first one I made has numbering. So I'm
not sure if the first one I made exhibits this behavior or not. Just
wondering if anybody has seen this happen before, and if it's normal. I
don't see how, it should be passive, and with just a regular straight
through CAT5 cable, it shouldn't be doing anything to the data.

On Fri, Mar 28, 2008 at 3:18 PM, Dennis Bourn <dbourn@clkenergy.com> wrote:

> Chris Jones wrote:
>
> > I was curious what you guys do when you encounter a client that has a
> > network worm, but you don't know whose computer has the infection. I have a
> > client who keeps getting calls from Cox, stating that there is a computer on
> > their network that is sending out tons of spam. Two months ago at the
> > meeting we were playing with Cain & Abel, which can do ARP poisoning. And
> > although it's an amazingly powerful piece of software, it seems to
> > unfortunately be useful for only black hat hacking (password stealing)...
> > There's also Ethereal/Wireshark, but it seems to be useless on a switched
> > network, unless you can find an old crappy hub to put it on, between the
> > switch and the router. I honestly don't even know if we have a hub anywhere
> > around here. There are some commercial products out there made for this,
> > but they seem to start at around $2000. I was just wondering if anybody
> > knew of anything good that was open source. ARP poisoning would be a nice
> > feature, but I'm guessing that might only be a feature on the black hat
> > tools. ;) There are some things like Nessus and Zenoss, but are those just
> > for SNMP monitoring? They probably won't sniff for worm traffic. I might
> > look into Untangle and see if it offers that ability...but I figured I'd see
> > if you guys know of anything else? Thanks!
> >
> Oh yeah,.. p.s.
> build a passive ethernet tap to place just before your gateway instead of
> a hub.
> http://www.snort.org/docs/tap/
>
> Worm traffic is kind of a mute point. The control traffic is probably
> encrypted or obscured in some way or another. Possibly in HTTP or DNS
> traffic making it harder to spot during working hours. Just find which box
> is sending the spam by watching SMTP traffic.
>
> ___________________
> Nolug mailing list
> nolug@nolug.org
>

-- 
Chris Jones
http://www.industrialarmy.com
___________________
Nolug mailing list
nolug@nolug.org
Received on 04/10/08

This archive was generated by hypermail 2.2.0 : 12/19/08 EST