Re: When does a scan attempt become a focused attack?
Date: 10/22/03

  • Next message: Jorge Garcia: "RE: hunt tool"
    To: "dave kleiman" <>, "'Hunt, Jim'" <>,
    Date: Wed, 22 Oct 2003 18:04:40 +0000

    It's simple: When it becomes a bother to the admin, it's an attack.

    <begin Port-Scan war story>

    Several years ago, when I was the admin of a dot-com, we suddenly got a bunch of port scans on some very odd ports every hour, on the hour, for 20 or so minutes.

    Luckily, my IDS logged the IP, and when looking it up, I found it was coming from Bell Labs in New Jersey: talked to the admin there, he confirmed and gave me the name of the researcher the IP belonged to, as well as his email addy.
    I talked to the scientist, and he said that what he was doing was basic research, and I couldn't stop him.

    Now at that point, corporate policy was more than three portscans from the same IP in 24 hours was considered an attack.

    The nice thing about Bell Labs is their web page, showed all the researchers, and their place in the organization.

    A nice little letter of compliant to his supervisor, his supervisor's supervisor, and the VP who ran that branch of Bell Labs, with all documentation and correspondence to and from the scientist.

    Within 2 hours, the portscans stopped. A week later, the scientist was no longer on the org chart. . .

    Visual & Easy-to-use are not words that you think of when talking about
    network analyzers. Are you sick of the three window text decodes? Download ClearSight Network's Analyzer and see a new network analysis tool that
    makes the complex - easy

  • Next message: Jorge Garcia: "RE: hunt tool"

    Relevant Pages

    • Re: Anonymizing Packets yet ensuring 0 % packet loss
      ... by setting up Tor i was able to bruteforce the admin ... Seeing as you say you are on internal network and have permission then ... have a chance to do an ARP poisoning attack. ... and you call us criminals. ...
    • Re: [Full-disclosure] =?koi8-r?b?Q29kZSBFeGVjdXRpb24gdnVsbmVyYWJpbGl0?= =?koi8-r?b?eSDXI
      ... I run WP and, unless the admin is malignant towards your server, this is ... The attack via double extension will work at Apache with appropriate ... Administrator. ... For Author and Editor it's not possible to upload 1.php, ...
    • Re: Getting people to say nice things about Microsoft (Linspire repo)
      ... While it would suck to lose your files to an attack, ... Not to mention that the real reason why most people run MS Windows as a Computer Admin is that when MS Windows /does/ ask a Limited User for an Admin password, it always botches the temporary grant of privileges. ...
    • Re: legal Question on scans
      ... ]> source scanning and sending bad packets to one of your network ... ]> I did this during an attack on my web server and sent the admin the ... Now if the attack was simply a scan, ...
    • [Full-disclosure] SQL Injection in Rogue Anti-Malware Groups Control Panel
      ... injection vulnerability in their control panel that hosts all their sites. ... admin admin chris admin nav admin bob admin mike admin ... support researcher suresh researcher Bhawesh researcher support21 ... limited limited limited limited2 limited Mathew limited lenart ...