[Dshield] Re: gotomypc.com part 2
acunningham at rsasecurity.com
Wed May 15 08:07:45 GMT 2002
The problem is exacerbated by the fact that there is a "Reverse WWW shell"
that attackers can use and configure to talk to their own web server from a
compromised machine (or even include in a trojan).
It should be possible to write signatures for each of these, but also
looking for large HTTP GET requests (command output) returning a very small
page (the next command to run), and/or repeated HTTP GET requests at the
same time interval.
> -----Original Message-----
> From: Jim Tagart [mailto:Jim.Tagart at bellcold.com]
> Sent: 15 May 2002 05:09
> To: 'list at dshield.org'
> Subject: RE: [Dshield] Re: gotomypc.com part 2
> Yep, you've got to block all the potential gateway, servers
> and domains and
> yes, even home users and consumer networks by not allowing
> this first of all
> by Policy and Procedure, second by audit and third by
> monitoring/ sniffing
> for these things.
> The IDSs need to ramp up and detect these services, at least
> then you can
> shut them down quickly until something better is here,
> I need to learn how to write Snort rules finally.
> > -----Original Message-----
> > From: Bruce Campbell [SMTP:bruce_campbell at ripe.net]
> > Sent: Tuesday, May 14, 2002 6:02 PM
> > To: 'list at dshield.org'
> > Subject: RE: [Dshield] Re: gotomypc.com part 2
> > On Tue, 14 May 2002, Jim Tagart wrote:
> > > Nope, not bold today but found this on their site
> > >
> > > <snip>
> > > How it works?
> > >
> > > Host computer runs totalrc.exe, a software agent to
> enable remote
> > > control. Client takes remote control/view of the Host
> through a
> > Web
> > > browser. Gateway provides communications between Host and
> Client. In
> > order
> > > to provide remote control client opens Gateway's URL in the Web
> > Browser.
> > > The default gateway is http://www.totalrc.net. This
> gateway is free for
> > all
> > > users.
> > > </snip>
> > >
> > > So blocking the http://www.totalrc.net site should do it.
> > Blocking www.totalrc.net would block clients, at your site, from
> > connecting to the gateway site. It would not block hosts
> within your site
> > from running totalrc.exe and connecting to poll.gotomypc.com .
> > --==--
> > Bruce.
> > _______________________________________________
> > Dshield mailing list
> > Dshield at dshield.org
> > To change your subscription options (or unsubscribe), see:
> > http://www.dshield.org/mailman/listinfo/list
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
More information about the list