lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <15533237421C6E4296CC33A2090B224A01068D71@UTDEVS02.campus.ad.utdallas.edu>
From: pauls at utdallas.edu (Schmehl, Paul L)
Subject: Re: looking for a tool

First of all, I'd like to thank all the people who offered to help.
There were quite a few of them, and so I am not able to respond to all
of the emails personally.  For future reference, you may assume that
when I post something like this, I've already gone through all the
standard troubleshooting steps.  In fact, the techs had before I ever
got there.  I was called in because the standard steps didn't resolve
the problem.

These include (but are not limited to):
1) Running a full scan using up to date antivirus software (in our case,
McAfee)
2) Running McAfee's Stinger, latest version
3) Booting in Safe Mode and removing files and registry entries
4) Killing processes and resetting permissions so they can't be
restarted
5) Checking for open ports using Fport (as well as netstat, but it isn't
to be trusted in a case like this)
6) Monitoring the machine's network activity using various tools
7) Etc., etc.

(Of course tools used were on a CD and other machines, not on the
suspect computer's hard drive.)

My recommendation yesterday (to tech support) was to format the machine,
because we can't afford to spend inordinate amounts of time trying to
track down the origins of malicious software.  (Besides it's kind of a
lesson learned for the end user that way anyway.)  My real concern, and
the reason for posting to the list, was to find out why tools that I've
depended on to give me the information I needed were unable to point to
the cause of this problem and to see if there were other tools that
would have been useful.

I *did* learn about some tools that I was not aware of, which I will be
adding to my arsenal:
1) Gregh told me about Essential Net Tools and Procmon
2) Robert Cowles told me about PORTqry v2
3) On another list I was told about Bart, a bootable Windows PE CD,
HijackThis and CWSshredder

I received a number of suggestions, almost all of which I had already
done.  The most useful was that this was "CWS.Loadbat - Dastardly",
which I think it may well have been.

For the purists among you, I apologize for mixing up Foundstone's and
Sysinternals' tools in my original post.  Mea culpa.

Paul Schmehl (pauls@...allas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/ 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ