Security Incidents mailing list archives

Re: Annoy Those Sub7 Scanners.

From: Snehal Dasari <pavehawk () NAPALM NET>
Date: Mon, 28 Aug 2000 14:55:55 +0930

The question begs to be asked:

What happens if you hit a innocent person whom was infected with sub7?

What happens then?  How do you differentiate them from the actual attacker?

I'd like to think that if people got attacked, they report it to the ISP.

I'm in australia, and I know of a person who was slapped with a charge for
"unauthorised access of confidential information" along with charges of
fraud and a few others.  All this because he decided to "retalliate".

Seems to me that there are too many risks involved in doing so.  This sort
of thing seems to be like warfare.  In a small scale conflict, will the
military go out and just blanket everything with munitions?  Risking the
chance of killing innocent civilians?

Regards,
Snehal Dasari

-----Original Message-----
From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On
Behalf Of H Carvey
Sent: Monday, 28 August 2000 12:39 AM
To: INCIDENTS () SECURITYFOCUS COM
Subject: Re: Annoy Those Sub7 Scanners.

What we need are more trojans like fakebo.


I wouldn't recommend any of the programs that open a
port, such as NukeNabber, FakeBO, or even a deception
toolkit.

What I've done is installed Win32-snort on my NT
system.  About once a week or so, I'll run a script
that will pull all of the snort alerts out of my
EventLog, and parse out the source IP addresses of the
various scans...mostly NetBIOS name queries, but often
Sub7 and the like.

Once that is done, the script can run nmapNT against
the system to ID open ports, fingerprint the os, etc.
Powerful tools like Perl allow all sorts of
flexibility with what you can do.  Now, I don't
advocate a full-out StrikeBack capability, a la Winn
Schwartau, but I have found that some of the scans
have come from folks w/ Win95 machines with
fully-shared C:\ drives.

Carv

__________________________________________________
Do You Yahoo!?
Yahoo! Mail - Free email you can access from anywhere!
http://mail.yahoo.com/

Current thread:

Re: Annoy Those Sub7 Scanners., (continued)
- - Re: Annoy Those Sub7 Scanners. Thierry (Aug 27)
    - Sub7/Open Telnet/Open Socks/DOS Ryan Yagatich (Aug 28)
    - Re: Sub7/Open Telnet/Open Socks/DOS Valdis Kletnieks (Aug 28)
    - Re: Sub7/Open Telnet/Open Socks/DOS Ryan Yagatich (Aug 29)
- Re: Annoy Those Sub7 Scanners. Guillaume Filion (Aug 27)
- Re: Annoy Those Sub7 Scanners. H Carvey (Aug 27)
  - Re: Annoy Those Sub7 Scanners. Doug Kahler (Aug 27)
  - Re: Annoy Those Sub7 Scanners. Valdis Kletnieks (Aug 27)
  - Re: Annoy Those Sub7 Scanners. Dan Hollis (Aug 27)
    - Re: Annoy Those Sub7 Scanners. Greg A. Woods (Aug 28)
  - Re: Annoy Those Sub7 Scanners. Snehal Dasari (Aug 28)
- Re: Annoy Those Sub7 Scanners. H Carvey (Aug 27)
- Re: Annoy Those Sub7 Scanners. H Carvey (Aug 27)
  - Re: Annoy Those Sub7 Scanners. Dan Hollis (Aug 27)
- Re: Annoy Those Sub7 Scanners. H Carvey (Aug 28)
- Re: Annoy Those Sub7 Scanners. Forrester, Mike (Aug 28)
- Re: Annoy Those Sub7 Scanners. Pierre Vandevenne (Aug 28)
- Re: Annoy Those Sub7 Scanners. Frank Knobbe (Aug 30)
  - Re: Annoy Those Sub7 Scanners. Talisker (Aug 31)
    - Re: Annoy Those Sub7 Scanners. Computer Vegetable (Aug 31)
- Re: Annoy Those Sub7 Scanners. Robert G. Ferrell (Aug 30)

(Thread continues...)