Yet another worm making the rounds via email. This one has a nasty payload. More info here. Removal tool here. Additional info for administrators and operators on IRC networks here.
Fizzer Worm is Nasty – Update Sigs, OK?
Building a Security Audit Toolkit
As moon-howling, tree-hugging, packet-sniffing pagans, we like to celebrate the Summer Solstice by doing a security audit of the systems on our network. Spending the longest day of the year auditing systems will help us avoid spending the longest night of the year restoring a hacked one. In our audit, we will be disabling unused […]
Building a Chrooted sftp Environment
There was a time, not so very long ago, when we used to enjoy running an ftp server and locking our users into tiny little chrooted jails. While we still enjoy denying users their freedom, we now prefer to do so using a maximum security facility. The sftp file transfer program, which comes with OpenSSH […]
Running Nmap on Windows
We wrote about Nmap in this article, but this assumed that you were running Nmap on GNU/Linux. There is another version available, now, for Windows. We used nmapwin_1.3.0_src.zip on a Windows 2000 workstation. It is important to scan your network, especially when there is a lot of virus activity. Hopefully before, but we know how […]
TCPDump Lab
We picked up a DEC Alpha Multia cheap at auction a couple years ago. We will use this multia to dump the network traffic that NT creates on boot using TCPDump. The first problem we had was that our Multia is not Y2K compatible. Many of our files ended up with dates of 2019, and […]
Block IP Addresses With IPtables
We wrote about blocking particular IP addresses with the route command here. If you are already using iptables, or want to start, a better way is to block particular hosts: iptables -I INPUT -s 25.55.55.55 -j DROP This command will simply drop any packet coming from the address 25.55.55.55. To list the chains: iptables -L […]
Keylogging
Like anything else, keylogging can be used for good, or for evil. Here is a list of related links, including both hardware and software keyloggers. (Yow!) Regardless of the privacy issues, there are also security issues as well. Some trojans will install keylogger software as part of their kit. There are also keyloggers geared for […]
A Trojan in Every Port
If you have any kind of intrusion detection set up like Psionic’s PortSentry or a personal firewall, you’ll see attempts to connect on ports you may not be familiar with. Even looking up the port in /etc/services doesn’t tell the whole story. To find all known network services, trojans, worms and exploits associated with a […]
Virus Test File
Check out the European Institute for Computer Anti-Virus Research (eicar) Anti-Virus Test File page. EICAR provides test files you can send to your users to determine if their anti-virus software is functioning correctly. We’ve seen this work fine on Trend Micro and Norton Anti-Virus software, but most ant-virus software should correctly detect these files. To […]
Quick and Dirty Host Block
If you are being attacked or abused by a particular host, just enter the following command to deny all access to the host: /sbin/route add -host <ip address> reject Replace with the IP address of the host you want to block. The address will stay blocked until you bounce the interface. Alternatively, you could allow […]
Baseline Security Analyzer
Do check out the Baseline Security Analyzer tool from Microsoft. Just download the MSI package from the page and install it with a shortcut on the Desktop (default). We ran it against a fresh Windows 2000 install with just SP2 installed. Here is a screenshot of the results. We are alerted to many security issues. […]
Nmap Port Scanner
Nmap is a free port scanner you can use to audit your own network and ensure the security of your hosts from outside your firewall as well. It is also entirely likely that your external interfaces are being scanned at this very moment with Nmap, or tools like it. One cool thing about Nmap, is […]
NIMDA Scanner
Free NIMDA Scanner checks for known NIMDA worm files (admin.dll, load.exe, readme.exe, etc.), checks your system.ini, and remotely checks “Administrators” group for “Guest” account. Click here to download. [Beware of running free programs that scan for viruses… better look that gift horse in the mouth. 🙂 Ed.]
IPC$ Security Trick
It is possible to establish a security context with another domain by using the net use command. Syntax: net use \\<server name>\IPC$ /USER:<domain>\<account> Explanation: If you want to manage the Booky domain, with a PDC called Kooky, and you had an administrative account on Booky called bookadmin, you could use: net use \\kooky\IPC$ /USER:BOOKY\bookadmin you […]
Verifying File Integrity with MD5 Checksums
We use MD5deep, because it has a recursive option which we discuss in this article. For now, though, we are just going to cover how to verify the MD5 checksum on a file. Grab the MD5 checksum from a site authoritative for your software package, and grab the software from a mirror site. Of course, […]
Running KeePass Password Management on GNU/Linux with Wine
Managing all of the passwords one needs to know for both personal and job-related security is quite a challenge. KeePass is a password management program for Windows. It is open-source and released under the GPL, which means it is highly likely that this project will stay around in some form. It also appears to use […]
WinSCP Freeware SFTP and SCP client for Windows
WinSCP is a full featured GUI SCP client. This means that communication between the server and the client is encrypted well, unlike FTP or Explorer. WinSCP also includes synchronization options that will help minimize the amount of traffic needed to mirror filesystems. We installed all of the options: Here you can see the array of […]
Customizing the AFICK File Integrity Checker
In this article, we set up AFICK. Let’s adapt AFICK to use a particular directory tree and a different database. This way, we can fingerprint the OS on one run, and fingerprint more dynamic content with a different job. Here is our configuration file: [root@ids afick]# cat /etc/afickweb.conf database:=/var/lib/afickweb/afick history := /var/lib/afickweb/history archive := /var/lib/afickweb/archive […]
Using the AFICK File Integrity Checker
One important component of securing a system is to use a file integrity checker.There are multiple tools out there that can do this, including AIDE, and Tripwire. One project that does what we need, has few installation requirements, is fairly easy to install, and is multi platform is AFICK. In this article we will install […]
Spike in Port 12345 Traffic
We have noticed a surge in traffic on port 12345. This could be NetBus, or a variant. We suspect that some trojan backdoor is in the wild tacked on to a new worm. The worm is looking for other friendly hosts listening on port 12345. To see a historical chart of activity on this port, […]
SolarWinds Top 5 Essential IT Tools
Manage and Monitor Your Network in One Simple Bundle
- Help desk ticketing and asset management software
- Remote support and systems management solution
- Network configuration and automation software
- Safe file transfer management solution
- Network management and troubleshooting software
Fully functional for 14 days