Re: WORM FORENSICS?

From: Gabriel Wachman (wachmang@pacbell.net)
Date: 09/19/01


Date: Tue, 18 Sep 2001 17:26:07 -0700
From: Gabriel Wachman <wachmang@pacbell.net>
Subject: Re: WORM FORENSICS?
To: Technical Support <bob@dexis.net>, Jensenne Roculan <jroculan@securityfocus.com>, incidents@securityfocus.com
Message-id: <00a001c140a1$acc098a0$0301a8c0@krusty>


----- Original Message -----
From: "Technical Support" <bob@dexis.net>
To: "Jensenne Roculan" <jroculan@securityfocus.com>;
<incidents@securityfocus.com>
Cc: <forensics@securityfocus.com>; <focus-ids@securityfocus.com>
Sent: Tuesday, September 18, 2001 1:24 PM
Subject: WORM FORENSICS?

> I feel that any server attacking another is fair game to publish data
about it.
>
> Bob

In some cases, you may have a point, however can you be sure that the IP
from which you were attacked isn't just an unaware compromised host? I was
hit numerous times with NIMDA today, all by hosts the admins of which most
likely had no idea they were being used. I agree that they have a
responsibility to patch their servers, but I don't think it's appropriate to
post their IPs, perform directory listings, or read log files. Not only is
it illegal, but it doesn't really accomplish much since you're attacking the
wrong person.

I do understand the feeling of being attacked, and I know it's really
tempting to launch a counter attack, especially since so many of the boxes
performing these attacks are wide open. This isn't meant to be
confrontational, but I feel that it's an important point to make.

Gabriel

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • Re: WORM FORENSICS?
    ... Subject: WORM FORENSICS? ... from which you were attacked isn't just an unaware compromised host? ... post their IPs, perform directory listings, or read log files. ... but it doesn't really accomplish much since you're attacking the ...
    (Focus-IDS)
  • Re: these sshmucks are at it again...
    ... or don't check their log files. ... so they are just attacking random IP ... The '/var/log/secure' log file under Linux does ... several attempts, change the attempted user ...
    (comp.os.vms)