Security Incidents mailing list archives
Re: Interesting reply
From: "Turpin, Jason" <jturpin () CHEMATCH COM>
Date: Mon, 23 Oct 2000 14:33:57 -0500
Attached is the Log Files (Minus my IP's) showing all of the IP's from the last couple of days hitting port 1024. -----Original Message----- From: Aj Effin ReznoR [mailto:aj () REZNOR COM] Sent: Friday, October 20, 2000 2:02 PM To: INCIDENTS () SECURITYFOCUS COM Subject: Re: Interesting reply Rick Ballard wrote:
On 16 Oct 2000, at 9:18, Keith Pachulski wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have to disagree with this "people scanning is from a compromised system". In most cases it comes down to someone on their home account (dialup, DSl, cable) doing the scanning from their home PC which has not been compromised. Someone saying "my system has been compromised, I was not doing the scanning " is an easy way out of an account cancellation or legal ramifications which may follow from scanning/hacking activities. Best way to do it is three strikes and your out. If the same user account gets caught three times blackhole the user account.I would say that if it a scan comes from a dialup account it is probably not compromised and is probably just a wannabe script kiddie, but if the ip is not a dialup then the box is very likely to have been compromised. I have seen many scans coming from what appeared to be newly installed Red Hat Linux boxes, usually with the default apache home page. It only takes a minute to install a rootkit on a box once it has been found to be exploitable. --
Agreed completely, Rick. Also note, most all cable companies offering cable modem service have a Terms of Service that is signed by the client where they promise not to run services. The companies try to keep bandwidth usage down by not allowing web/ftp servers and such on their networks. While "it wasn't me, i was hacked" may get a user off the hook in their minds, if they were hacked, it's because they were running a service that got exploited, and having that service running in general is a violation of the TOS. Most of the domestic (US) attacks on my cable modem and my colo'd box are from cable modems running default redhat installed with an easily exploitable ftp daemon running. -aj..
Attachment:
firewall 10232000.txt
Description:
Current thread:
- Re: Interesting reply, (continued)
- Re: Interesting reply Forrester, Mike (Oct 11)
- Re: Interesting reply Gary Flynn (Oct 12)
- Re: Interesting reply Mikael Gripenstedt (Oct 13)
- Re: Interesting reply Gary Flynn (Oct 12)
- Re: Interesting reply H Carvey (Oct 13)
- Re: Interesting reply Keith Pachulski (Oct 16)
- Re: Interesting reply Rick Ballard (Oct 16)
- Re: Interesting reply Aj Effin ReznoR (Oct 24)
- Re: Interesting reply Rick Ballard (Oct 16)
- Re: Interesting reply Forrester, Mike (Oct 19)
- Re: Interesting reply Narins, Joshua (Oct 19)
- Re: Interesting reply Forrester, Mike (Oct 20)
- Re: Interesting reply Turpin, Jason (Oct 25)
- Re: Interesting reply Aj Effin ReznoR (Oct 25)
- Re: TCP connections to port 1024 - DDoS? Neil Long (Oct 26)
- Re: TCP connections to port 1024 - DDoS? Arrigo Triulzi (Oct 27)
- Re: Interesting reply Forrester, Mike (Oct 11)