[Geek] Whoops...
Jan. 30th, 2006 11:46 am![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
azekeilThis is not the entry I wanted to be making. This morning, I downloaded a program from a dodgy source as part of my job. Unfortunately I wasn't really awake and ran an 'update.exe' program contained within the zip file on my laptop. Nothing popped up. Hmm. I checked the process list but nothing was showing. I scanned the file with the company standard virus scanner, but it was reported clean. Five minutes later I got a call from IS asking me to disconnect my computer from the network and bring it to them for re-imaging. It appears I was 0wned by a r00tkit. Whoops...
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
no subject
Date: 2006-01-30 11:56 am (UTC)BTW, your icon - don't bother downing the network with one keystroke - have a crontab entry to down the network if you're not there to kick it. If you get made redundant, the network mysteriously disappears a week or two later.
Just don't get ill.
no subject
Date: 2006-01-30 12:00 pm (UTC)no subject
Date: 2006-01-30 12:09 pm (UTC)Personally, by contrast, I'm still helping my previous employer with I.T. issues a year on because I like them so much. Mileages can vary. (-8
no subject
Date: 2006-01-30 02:56 pm (UTC)The main thing is arpwatcher which is designed to monitor new machines on a network; however I've hacked it up to also monitor how fast machines are looking for other boxes (which they have to do via RARP) and if they go over a certain amount I get an email.
You can also do fun things with IDSen like Snort. Having a web proxy or sniffer which can do virus scanning via ClamAV is useful as well.
The actual downing of the network port is done by hand - the dangers of false positives et al impacting on getting work done - but doesn't take long to do thanks to a script I wrote which uses SNMPv3 to disable a network port. I've written other scripts which let me track down IP addresses on the network as well.
Some of the above is dependant on the network structure I've put into place.
As for taking down a network.... rather than just downing a link which is easy to find, its better to create a duplex mis-match. That causes some fun slowness to a network, but can be a right pain to track down!
no subject
Date: 2006-01-30 03:10 pm (UTC)My Cisco infrastructure (big!) sends MAC added/removed notification traps to an NMS which records them in MySQL, so I get full historical tracking of what was where, and when.
Duplex mismatches are easy. What you want is to is superglue fibre patch leads in to place. Nobody notices until they try to remove them from the expensive switch :-)
I must look at Snort.
no subject
Date: 2006-01-30 04:04 pm (UTC)The only real solutions to this is either a machine per VLAN which takes in ARP/RARP requests and forwards them to your management machine or doing the whole 802.1q tagged VLAN dance to a machine capable of handling that number of tagged links.
Snort is quite useful - means playing catch up against people who use IM is far easier if nothing else :)