> To me, that pattern sounds a lot more like someone's > hacked a server and set up a warez site. This could very well be, particularly if there is an FTP server floating around on the connection. > See if you can put a sniffer on the outbound > connection (Sniffer is my commercial favorite) to > find the endpoints. Sniffer isn't needed to find the endpoints...only netstat on the local box. > There are lots of reasons your > IDS isn't raising alarms: the system that was hacked > was already an FTP server, or if your IDS isn't > monitoring common protocols from servers, or the IDS > system doesn't see the traffic going to the hacked > system, et al. Well, not so much that the IDS didn't see it, but the IDS didn't have a signature for the traffic that it did see... Harlan __________________________________ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com ---------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Mon Jun 30 2003 - 10:50:30 PDT