[Dshield] [OT] Naughty File Detector

DAN MORRILL dan_20407 at msn.com
Thu Oct 2 12:31:02 GMT 2003


Good Morning,

There are lots of programs that will inventory software on a box, SMS, some 
Patch Management software, but if you really want to go after P2P, there are 
a number of things you can look for.

Lots of ICMP traffic, huge overhead,

Port 0 traffic (SetUID 0 or otherwise) have noticed that shareazza (which I 
do use) will get me port 0 traffic because of the port hopping. Probably 
something unbound in their port designation. You can also tab on the 
standard P2P ports to get a tip off, if they are just being turned on, then 
they usually default to their standard port. There is a random port setting 
in some P2P applications to get around firewalls, but it is buried in the 
configuration and the user may or may not enable that function.

Another thing to do, especially fun on a windows network, just do a search 
for MP3, MPG on the network, most XP/W2K/W2K3 allows for network wide 
searching via script for those kind of files. But I would recommend this 
only after hours.

Hope that helps,
Cheers/r/Dan Morrill




>From: Carl Inglis <wyrdrune at yoshiwara.org.uk>
>Reply-To: General DShield Discussion List <list at dshield.org>
>To: General DShield Discussion List <list at dshield.org>
>Subject: [Dshield] [OT] Naughty File Detector
>Date: Thu,  2 Oct 2003 12:44:20 +0100
>
>I'm going to be starting a new job in the near future, and one of the
>things which I'm going to be responsible for is the security policy. I
>want to ban P2P programs, but from what I understand of the protocols they
>are capable of port-hopping, and can even land on port 80.
>
>I'm looking for a program which I can use to scan remote hard drives
>looking for the executables. Perhaps using an MD5 checksum to identify the
>files? (Since people can change the file names).
>
>I've found Browse Control from CodeWork, and that looks quite interesting,
>but I'd appreciate the thoughts of others.
>
>Thanks,
>
>Carl
>--
>
>
>_______________________________________________
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see: 
>http://www.dshield.org/mailman/listinfo/list

_________________________________________________________________
Share your photos without swamping your Inbox.  Get Hotmail Extra Storage 
today! http://join.msn.com/?PAGE=features/es




More information about the list mailing list