Details
To find vulnerable machines in the campus network we use a number of security scanners. Nessus is our primary tool.
The scans are conducted twice a month plus we do an incremental scans when a new vulnerability
is discovered. The results are available to the
UofT network administrators from a password protected SSL-enable web site
in two formats: NBE and custom HTML. If you are a network administrator responsible for a group of machines you can request access to scan results by sending an email to security.admin@utoronto.ca
Various Operating Systems and applications behave differently when scanned. Spurious Scan Results page lists some of them.
Links:
Worms and Rootkits:
RootKit F.A.Q.
chkrootkit locally checks for signs of a rootkit (Linux 2.0.x, 2.2.x, FreeBSD 2.2.x, 3.x, 4.0, OpenBSD 2.6, 2.7,2.8, Solaris 2.5.1, 2.6,8.0)
Online Solaris Fingerprint Database manual
Solaris Fingerprint Database Companion and SideKick can be used to collect signatures for files known to be replaced by "rootkits" (perl, shell)
Lion Worm Linux
t0rn rootkit
Exploitation of snmpXdmid Solaris
sadmin/IIS worm Solaris, Windows
exploit tool Linux services: BIND,wu-ftpd,statd
.ida "Code Red" worm Microsoft IIS
Update.ida "Code Red" worm (date bomb) Microsoft IIS
NIMDA worm Microsoft
DDoS info:
ddos_find can be used to detect the presence of DDOS tools. (Solaris 2.x)
A Breakdown of SANs Top Ten Threats
Last updated: Feb 7, 2005
