Tracking Down the Phantom Host

by John Payton
Sept. 25, 2017 1 comment Symantec phantonhost

Most information systems security professionals are familiar with the procedures for identifying malicious traffic among their routine data, and many of the same professionals are familiar with the forensic procedures required once you have identified a compromised host. But on more than one occasion, I have been asked how to locate a problem host when you are not sure where it is physically located. This problem can arise innocently, such as when network wiring diagrams are not kept up-to-date, or not-so-innocently, when the less-than-trustworthy administrator decides to put a web server on the company's DMZ so as not to use all the available bandwidth on his home cable modem. Let's suppose this is the case, and you start seeing that server probing port 80 on other machines attached to your network.

2flash 7 months, 3 weeks ago

Good piece. I like the correlation with DMZ also.