[Geek] Whoops...

[azekeil]

This is not the entry I wanted to be making. This morning, I downloaded a program from a dodgy source as part of my job. Unfortunately I wasn't really awake and ran an 'update.exe' program contained within the zip file on my laptop. Nothing popped up. Hmm. I checked the process list but nothing was showing. I scanned the file with the company standard virus scanner, but it was reported clean. Five minutes later I got a call from IS asking me to disconnect my computer from the network and bring it to them for re-imaging. It appears I was 0wned by a r00tkit. Whoops...

Comments

[poggs.livejournal.com]

Hell. Your IS department is shit hot.

[azekeil.livejournal.com]

Yes they are.

[tefkas.livejournal.com]

Yep, that was my reaction, too. Impressive. Most impressive.

[meltie.livejournal.com]

Yeah, very impressed :)

[simonb.livejournal.com]

Heh; sounds like your IS department has similar things in place as I've put into place.

The only difference is that I'm the one who'd drop your machine from the network :)

[poggs.livejournal.com]

JOOI, what have you put in place?

BTW, your icon - don't bother downing the network with one keystroke - have a crontab entry to down the network if you're not there to kick it. If you get made redundant, the network mysteriously disappears a week or two later.

Just don't get ill.

[serena-lesley.livejournal.com]

Classy. ;)

[gerald_duck]

Arrange that it can receive its care and feeding via SMS, if necessary?

Personally, by contrast, I'm still helping my previous employer with I.T. issues a year on because I like them so much. Mileages can vary. (-8

[simonb.livejournal.com]

JOOI, what have you put in place?

The main thing is arpwatcher which is designed to monitor new machines on a network; however I've hacked it up to also monitor how fast machines are looking for other boxes (which they have to do via RARP) and if they go over a certain amount I get an email.

You can also do fun things with IDSen like Snort. Having a web proxy or sniffer which can do virus scanning via ClamAV is useful as well.

The actual downing of the network port is done by hand - the dangers of false positives et al impacting on getting work done - but doesn't take long to do thanks to a script I wrote which uses SNMPv3 to disable a network port. I've written other scripts which let me track down IP addresses on the network as well.

Some of the above is dependant on the network structure I've put into place.

As for taking down a network.... rather than just downing a link which is easy to find, its better to create a duplex mis-match. That causes some fun slowness to a network, but can be a right pain to track down!

[poggs.livejournal.com]

arpwatch is useful in your environment, but next to useless in mine. I have 20 or so VLANs and no desire to run a trunked VLAN out to my management server with 20 sub-interfaces! Have you run across the same problem?

My Cisco infrastructure (big!) sends MAC added/removed notification traps to an NMS which records them in MySQL, so I get full historical tracking of what was where, and when.

Duplex mismatches are easy. What you want is to is superglue fibre patch leads in to place. Nobody notices until they try to remove them from the expensive switch :-)

I must look at Snort.

[simonb.livejournal.com]

I don't have this issue as I replaced the gaggle of VLANs (14 for all of 60 machines) with a couple of flat networks (internal, DMZ, backup) which works nicely given the size of our network (relatively small at just ~200 machines).

The only real solutions to this is either a machine per VLAN which takes in ARP/RARP requests and forwards them to your management machine or doing the whole 802.1q tagged VLAN dance to a machine capable of handling that number of tagged links.

Snort is quite useful - means playing catch up against people who use IM is far easier if nothing else :)

[azekeil.livejournal.com]

Yeah. I must be more rigorous about segregating work from my laptop. I have been considering using Linux for my desktop - not a direct solution, but it will stop me from doing something like this in the future :). I had only just got VMWare installed onto that machine, which I was going to set up with a Windows partition just for this sort of thing, but really it needs to be on a separate machine on a separate network.

[poggs.livejournal.com]

Find an old machine, clone its MAC address :-)

[microchip.livejournal.com]

Whooooooooooooooooooooooooooops!

Handy tool - http://www.clamwin.com/ - ClamWin, the windows port of the ClamAV open source on-demand scanner, which is a very useful tool for checking anything fishy, and runs alongside an existing scanner.

What antivirus are you running, incidentally?

[azekeil.livejournal.com]

My company have standardised on Norton.

[microchip.livejournal.com]

... Ah.

Lucky you!

[azekeil.livejournal.com]

I'm not so sure :/

Although it did allow them to discover the root kit, but when I scanned I guess it had already done its work and reported a false negative back. Or simply only detected its effects, rather than the actual distribution mechanism.