Re: possible rooted systems

[mike () genxweb net]

Kyle,

If you believe you have been compromised I say start investigating the issue.
Check the firewall logs for outbound and inbound connections on non standard
ports. Once you do that check standard ports. See if you see any irc ports in
use. For the *ware issue (* being and form of the ware family) I suggest to
start off small using a free product liek ad-aware and start from there.
Unfortuantly in a school enviroment you will have that issue and most likely
you can not switch browsers to a less vulnerable one.

Either way check the logs on the firewall for abnormal usage (you should know
your network the bess, to tell whats normal and abnormal).


Quoting kyle <kyle () inetconnection com>:

> I am a lan administrator at a small school system with a T1 line for the
> internet. Lately I've noticed that the T1 line has been maxed, and a week
> later, it still is maxed out. I strongly believe that a few systems have been
> rooted (no viruses/trojans show up on scans) and need a novell based packet
> sniffer to determine what is legitimate and illegitimate traffic. Does anyone
> know of any good ones? We run many xp and 98 boxes with multiple novell
> servers. I think some of the 98 boxes are the ones that were rooted On using
> them I've noticed one common thing on every one of them at that building.
> spyware beyond usage (current record 35000 entries before adaware locked up).
> I know how I can just fix it, but I need some sort of log so I can justify my
> means. ;)
> Thanks
> Kyle