RE: Problems with modem hanging up after an intrusion

From: McCammon, Keith (Keith.McCammonat_private)
Date: Thu Nov 08 2001 - 12:39:15 PST

Next message: netnerd: "multiple attempts to login via telnet from multiple IP's ... new worm?"

Previous message: Progenit Service S.r.l.: "Problems with modem hanging up after an intrusion"
Maybe in reply to: Progenit Service S.r.l.: "Problems with modem hanging up after an intrusion"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

For starters, I'm not sure how you define a "little" intrusion.  That sounds
fishy.  And you haven't given much information about the modem/RRAS
configuration, so this is a shot in the dark, but...

The obvious assumption would be that some activity on the server itself is
keeping the connection open.  Some things to try:

- Monitor system processes, preferably checking the process list against
that of identical machine in a known good state

- Run something like FPort to find out what processes are attaching to the
network

- Check properties (checksums, ideally) of your systems files

- Set up a sniffer and watch, watch, watch...

There's a pretty good chance that one of the four of these things will tell
you what's happening on your system.  The first is tough if you don't have a
spare box and a good deal of time.  The second and third can be done
relatively easily with free tools (FSS comes to mind for file
comparison--fast and dirty, and it works).  And the fourth will tell you
100% if there is traffic being generated, or if something on the system
itself is causing the modem to remain connected.

Cheers

Keith W. McCammon



-----Original Message-----
From: Progenit Service S.r.l. [mailto:agente_progenitat_private]
Sent: Tuesday, November 06, 2001 3:18 AM
To: incidentsat_private
Subject: Problems with modem hanging up after an intrusion


Hi all,

recently I have had a "little" intrusion across a DSL connection on my NT
Server (SP4 along with Backoffice SBS 4.5) that my firewall hasn't seen
(I've already updated the policies...). After that, all the clients have
many problems hanging up a connection using a shared modem installed on the
NT server platform.
I've already checked all services and their configurations (not yet the
registry...).

Any suggestions would be much appreciated..

Thanks


Giancarlo
Technical Support
P. S.
Florence


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: netnerd: "multiple attempts to login via telnet from multiple IP's ... new worm?"
Previous message: Progenit Service S.r.l.: "Problems with modem hanging up after an intrusion"
Maybe in reply to: Progenit Service S.r.l.: "Problems with modem hanging up after an intrusion"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Nov 08 2001 - 13:04:19 PST