Swatch-Like Trojan Parser for Syslog

Discussion in 'Computer Security' started by Dotman, Dec 14, 2003.

  1. Dotman

    Dotman Guest

    Does anyone know of a script that will search syslog for potential
    Trojan infected hosts? A site I helped to cleaned up was extremely infected
    ..
    Now I suspect some lingering programs. How is syslog checked for
    common trojan ports? Is there a swatch-like utility out there?
    Thanks
     
    Dotman, Dec 14, 2003
    #1
    1. Advertisements


  2. If the host was infected, there's no sure-fire-way to determine if *all*
    files are safe. Your only hope is to backup your data/config files and
    reinstall from scratch. Probably your best option would be to replace
    the harddrive and use a new one, installing everything from scratch.
    Apply all patches prior to turning any daemons on.

    Cert has a nice "how to", for once you've been compromised.

    --
    Colonel Flagg
    http://www.internetwarzone.org/

    Privacy at a click:
    http://www.cotse.net

    Q: How many Bill Gates does it take to change a lightbulb?
    A: None, he just defines Darkness? as the new industry standard..."

    "...I see stupid people."
     
    Colonel Flagg, Dec 14, 2003
    #2
    1. Advertisements

  3. There are many CERTs but I think that this is the one referred to.

    http://www.cert.org/

    Dave



    | In article <lh2Db.145661$>,
    | says...
    | > Does anyone know of a script that will search syslog for potential
    | > Trojan infected hosts? A site I helped to cleaned up was extremely infected
    | > .
    | > Now I suspect some lingering programs. How is syslog checked for
    | > common trojan ports? Is there a swatch-like utility out there?
    | > Thanks
    | >
    | >
    | >
    |
    |
    | If the host was infected, there's no sure-fire-way to determine if *all*
    | files are safe. Your only hope is to backup your data/config files and
    | reinstall from scratch. Probably your best option would be to replace
    | the harddrive and use a new one, installing everything from scratch.
    | Apply all patches prior to turning any daemons on.
    |
    | Cert has a nice "how to", for once you've been compromised.
    |
    | --
    | Colonel Flagg
    | http://www.internetwarzone.org/
    |
    | Privacy at a click:
    | http://www.cotse.net
    |
    | Q: How many Bill Gates does it take to change a lightbulb?
    | A: None, he just defines Darkness? as the new industry standard..."
    |
    | "...I see stupid people."
     
    David H. Lipman, Dec 14, 2003
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.