RE: Incident response to being scanned

From: David Gillett (gillettdavid_at_fhda.edu)
Date: 04/25/03

Next message: Xueyan Liu: "RE: Cable Vs. DSL"

Previous message: Cosentino, Guilherme V.: "RE: Cable Vs. DSL"
In reply to: Bob Kelley: "Incident response to being scanned"
Next in thread: Fields, James: "RE: Incident response to being scanned"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "'Bob Kelley'" <b0bk3ll3yjr@adelphia.net>, <security-basics@securityfocus.com>
Date: Fri, 25 Apr 2003 11:18:31 -0700

> -----Original Message-----
> From: Bob Kelley [mailto:b0bk3ll3yjr@adelphia.net]
>
> In reviewing my firewall and web server logs, I see repeated
> attempts from several ip addresses to scan my network as
> well as infect my webserver with code red. The source
> addresses are not always the same. I am confident that I
> don't have any holes in my firewall and my webserver is up
> to date. I perform weekly vulnerability scans of my
> equipment to make sure I am covered. What is considered
> the best practice for dealing with these incidents? Should I
> be filing abuse reports with the ISPs of the source IPs?
> This obviously takes time. I am looking for a business case
> to justify the time spent responding. Thanks

If a machine is infected with Code Red at this point, it
probably means that there is nobody who

  (a) understands the problem, and
  (b) cares about fixing it, and
  (c) can be found using available tools like whois.

i.e., the best use of your time is to make sure you're not
vulnerable, and move on.

Dave Gillett

---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
world's premier event for IT and network security experts. The two-day
Training features 6 hand-on courses on May 12-13 taught by professionals.
The two-day Briefings on May 14-15 features 24 top speakers with no vendor
sales pitches. Deadline for the best rates is April 25. Register today to
ensure your place. http://www.securityfocus.com/BlackHat-security-basics
----------------------------------------------------------------------------

Next message: Xueyan Liu: "RE: Cable Vs. DSL"

Previous message: Cosentino, Guilherme V.: "RE: Cable Vs. DSL"
In reply to: Bob Kelley: "Incident response to being scanned"
Next in thread: Fields, James: "RE: Incident response to being scanned"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

RE: [Full-Disclosure] Learn from history?
... In the case of a Windows-based network and excepting W98 and WME boxes, ... > left scratching your head wondering why your firewall didnt work. ... You have an anti-virus/e-mail/content solution which updates signatures ... When it starts trying to infect external addresses, ...
(Full-Disclosure)
Incident response to being scanned
... In reviewing my firewall and web server logs, ... Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the ... world's premier event for IT and network security experts. ... Training features 6 hand-on courses on May 12-13 taught by professionals. ...
(Security-Basics)
Re: Port scan attacks
... & Comnfigured) Firewall, ... That will tell you whether it's on your own ISP's Network or some ... Machines get infected by various bits of MalWare, ... Machines to Infect. ...
(uk.people.silversurfers)
RE: Distributed Firewall
... Subject: Distributed Firewall ... The network which connects them -- upon ... Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the ... Training features 6 hand-on courses on May 12-13 taught by professionals. ...
(Security-Basics)
RE: can ping but not browse
... I have stopped the firewall. ... # are safed from all (security) hazards. ... firewall/bastion host to the internet ... # internet and to an internal network, ...
(Fedora)