Home page logo
/

basics logo Security Basics mailing list archives

Re: Zombie / Botnet?
From: Kurt Buff <kurt.buff () gmail com>
Date: Tue, 10 Nov 2009 12:37:39 -0800

On Tue, Nov 10, 2009 at 04:05, Tony Raboza <tonyraboza () gmail com> wrote:
Hi,

One of our workstations is broadcasting a huge amount of UDP traffic
(around 5Mbps) and I'm thinking it could be a zombied computer doing
DDOS as directed by its controller.  But the weird thing is - it has
an updated McAfee AV with HIPS ??  Why was this not detected - or
could I be reading this wrong?  Here's a portion of the tcpdump:

1) take if off the network.

2) burn a rescue CD and boot the machine with it. I suggest ubcd4win -
http://www.ubcd4win.com/howto.htm - an enable the Sunbelt VIPRE and
any other plugins (malwarebytes, especially) you deem appropriate to
see if you can clean/identify the culprit. I just tried ubcd4win
yesterday, and it was dead easy to work with. Excellent tool. There
are other good tools, but I just used this one and like it.

3) regardless of whether you clean the machine and/or identify the
culprit, save the data, rebuild the box and patch it so that it
doesn't get infected again.

Personally, I don't like McAfee at all. We switched away from that to
the Sunbelt product, and haven't looked back.

Kurt

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]