General discussion

Locked

Tool to discover/fix intrusion

By dmccurley ·
I need a simple, cost-effective way to be able to ascertain if any systems for which I am responsible are/have been compromised.

It seems that there are solutions that cost a gazillion dollars (so I will never know if they work -- management won't spend that kind of money) or there are scanners and such that are free or low-cost, but offer little in the way of solutions to the problem.

Do you have a solution that we can live with (and pay for)?

This conversation is currently closed to new comments.

4 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by Joseph Moore In reply to Tool to discover/fix intr ...

Well, a rootkit scanner I like is the BlackLight scanner from F-Secure. You can get the beta of it for free here:
http://www.f-secure.com/blacklight/
Nice scanner you can run on machines to see if they're compromised.
Also, a lot of the files in rootkits are picked up by antivirus software. So, if you already have a licence for antivirus, put it on the servers (if in doing so won't mess up the servers!), and see what it picks up.

Collapse -

by BFilmFan In reply to Tool to discover/fix intr ...

First determine your company's potential requirements for securing data in light of SOX, HIPAA and other regulations.

Money sometimes mysteriously becomes available when legal beings to inform management that Bernie is really lonely and needs a new cell mate cause they failed to comply with laws and the concept that customers will file suit for release of their data to a hacker.

At the very least, you will have covered your own rear!

And the number of scanners and security protection prgrams vary a great deal depending on which OS is based. SANS has a number of suggestions for securing servers. Techrepublic has a number of articles also.

Collapse -

by jmgarvin In reply to Tool to discover/fix intr ...

Rootkit Hunter Rootkit scanner is scanning tool to ensure you for about 99.9% you're clean of nasty tools. This tool scans for rootkits, backdoors and local exploits by running tests like:- MD5 hash compare- Look for default files used by rootkits- Wrong file permissions for binaries- Look for suspected strings in LKM and KLD modules- Look for hidden files- Optional scan within plaintext and binary files
http://www.rootkit.nl/projects/rootkit_hunter.html

The Port Reporter tool "The Port Reporter tool runs as a service on computers that are running Windows Server 2003, Windows XP, and Windows 2000. The tool logs TCP and UDP port activity. This article contains information about how to obtain and install the tool." http://support.microsoft.com/default.aspx?scid=kb;en-us;837243

Sniffit "Developed on LINUX, ported to SunOS/SOLARIS, IRIX and FreeBSD. Has various functions that aren't offered in any other non-commercial sniffer." http://reptile.rug.ac.be/~coder/index.html


nTOP "ntop is a simple, free, portable traffic measurement and monitoring tool, which supports various management activities, including network optimization and planning, and detection of network security violations." http://www.ntop.org/ntop.html

scanlogd "scanlogd is a TCP port scan detection tool, originally designed to illustrate various attacks an IDS developer has to deal with." http://www.openwall.com/scanlogd/

proDETECT "proDETECT is an open source promiscuous mode scanner with a GUI. It uses ARP packet analyzing technique to detect adapters in promiscuous mode. This tool can be used by security administrators to detect sniffers in a LAN. It can be scheduled for regular scanning over periods. It also has some advanced reporting capabilities such as SMTP reporting. Full source code is included." read more...

and
http://www.cmpe.boun.edu.tr/~tas/
http://caspian.dotconf.net/menu/Software/ScanAlert/
http://sourceforge.net/projects/awstats/

Collapse -

by _Christian_ In reply to Tool to discover/fix intr ...

A decent firewall will also cover from another angle.

ZoneAlarm Pro 5.5 does a very decent job at it, while not being to difficult to use for normal users.
There are 2 third parties reporting add-ons for it, myMetWatchman and VisualZone. Both can be simultaneously installed, and do a nice job of analysing and/or automatically escalating the attack attempts.

ZoneAlarm by itself will let you find out if the wolf is already in, and make a nice job of cornering it (unless your users are REALLY dumb).

Back to Security Forum
4 total posts (Page 1 of 1)  

Related Discussions

Related Forums