[Dshield] [OT] Naughty File Detector
dan_20407 at msn.com
Thu Oct 2 12:31:02 GMT 2003
There are lots of programs that will inventory software on a box, SMS, some
Patch Management software, but if you really want to go after P2P, there are
a number of things you can look for.
Lots of ICMP traffic, huge overhead,
Port 0 traffic (SetUID 0 or otherwise) have noticed that shareazza (which I
do use) will get me port 0 traffic because of the port hopping. Probably
something unbound in their port designation. You can also tab on the
standard P2P ports to get a tip off, if they are just being turned on, then
they usually default to their standard port. There is a random port setting
in some P2P applications to get around firewalls, but it is buried in the
configuration and the user may or may not enable that function.
Another thing to do, especially fun on a windows network, just do a search
for MP3, MPG on the network, most XP/W2K/W2K3 allows for network wide
searching via script for those kind of files. But I would recommend this
only after hours.
Hope that helps,
>From: Carl Inglis <wyrdrune at yoshiwara.org.uk>
>Reply-To: General DShield Discussion List <list at dshield.org>
>To: General DShield Discussion List <list at dshield.org>
>Subject: [Dshield] [OT] Naughty File Detector
>Date: Thu, 2 Oct 2003 12:44:20 +0100
>I'm going to be starting a new job in the near future, and one of the
>things which I'm going to be responsible for is the security policy. I
>want to ban P2P programs, but from what I understand of the protocols they
>are capable of port-hopping, and can even land on port 80.
>I'm looking for a program which I can use to scan remote hard drives
>looking for the executables. Perhaps using an MD5 checksum to identify the
>files? (Since people can change the file names).
>I've found Browse Control from CodeWork, and that looks quite interesting,
>but I'd appreciate the thoughts of others.
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see:
Share your photos without swamping your Inbox. Get Hotmail Extra Storage
More information about the list