Threat Level: green Handler on Duty: Richard Porter

SANS ISC InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Spyware Tool Kit, OSPF Filtering & Authentication, Port 559 Traffic Spike

Published: 2004-08-19
Last Updated: 2004-08-20 07:35:54 UTC
by Dave Brookshire (Version: 1)
0 comment(s)
Anti-Spyware Tool Kit

Yesterday's diary entry solicited a number of replies regarding the "tool kits" people use for fighting spyware, malware and viruses. I've collated the most popular, from both e-mail submissions and some from the Handlers themselves. This list is not necessarily complete in anyway...just a starter for people to help build their own kit.


Spybot - Search & Destroy : or
TDS-3 - Trojan Defence Suite
Process Explorer


Rogue/Suspect Anti-Spyware Products & Web Sites:
Broadband Reports (aka DSL Reports):,1

Please note, some or all of these tools are NOT for the novice, and should be used with GREAT care. If you are not careful, you may damage parts of your operating system.

OSPF Filtering & Authentication

Yesterday, Cisco released an advisory regarding a vulnerability in their OSPF implementation that could result in a DOS of a router. The notice also provided links to updated software that should resolve the issue. However, there are a number of SOPs (standard operating procedures) that router admins should be following that will also help mitigate this situation. In the case of OSPF, the protocol should be filtered at your borders, if possible, running only on "internal" interfaces, and authentication should be required. The following are links that should get you started:

Cisco Sample Configuration:
Another Sample Configuration:
Port 559 Scanning, Request for Packets

We have noted a marked increase in Port 559 scanning. This port may be related to the Domwis backdoor. Please submit any packet captures for this port to

More information here:

Handler-on-Duty: Dave Brookshire <dsb AT rlx DOT com>
0 comment(s)
Diary Archives