From: netsec novice [mailto:netsec9 () hotmail com]
Sent: Tuesday, November 05, 2002 8:14 AM
To: ilyte () alias666 freeserve co uk; security-basics () securityfocus com
Subject: Re: Network Configuration Question?
I recently saw similar behaviour running tcpdump on my
workstation that is
attached to a Cisco catalyst switch. I would be interested
to find any
From: "Ian Lyte" <ilyte () alias666 freeserve co uk>
To: <security-basics () securityfocus com>
Subject: Network Configuration Question?
Date: Mon, 4 Nov 2002 16:58:37 -0000
On a corporate machine, I was having trouble removing
scrote-ware that had installed itself surreptitiously onto
As part of the process of tracking down how it was running, I
downloaded a small packet sniffer and ran it so I could attempt to
trace the outgoing target address of the pop-up window.
We are on a 100mbs switched network (I believe switched but ..).
Now imagine my surprise when I could pick up traffic
from around 6
machines, including HTTP, POP, SMTP and all the associated passwords.
Some of the machines were geographically close to me in
but not all. How could this happen on a switched network -
has one of
the switches fallen over into broadcast mode or something?
If so how do
I go about determining (remotely) why/how it has fallen
over, who else
is on the segment, and what other avenues do I have to explore?
Thanks in advance
Unlimited Internet access for only $21.95/month. Try MSN!