Security Incidents mailing list archives
Re: A slap on the wrist...?
From: "Greg S. Wirth" <greg () beldamar com>
Date: Thu, 31 Aug 2000 18:01:04 -0700
Hello... I admin about 50 boxes from 3 different companies. I believe that tracking down every, or any, scans is a waste of time. I would say 75% of the time, the address that you track back is either not valid or is DHCP'd and results in tracking the wrong person. I think a lot of people get scared and slightly overreact to scans of their systems. If people secured their systems, they would not be vulnerable to what people are scanning for. I also get calls from many of my clients with comments like "I got a log message saying i was scanned, what do i do??" I usually tell them to just let it go, as it's a waste of time to do anything about it, as my systems are pretty much secured. Those systems that arn't secured, in my opinion, deserve what they may get, because they haven't put enough money into finding a good admin that can keep up with all the hacks and exploits. The only time i may track someone down is when they make repeated attempts to exploit something. This is then, in my opinion, worth the time to track them down. But even then, if you happen to get them dropped by their current ISP, they would just use another hacked account, or dig up another ISP. This mail may seem rambling, but i haven't slept but 4 hours in 2 days, and been living off coffee, Pepsi, and those damn sandwiches from 7-11...So forgive me please. I hope you all understand what i am trying to say. In the end, scanners can't hurt you, unless you aren't secure. Putting time into trying to do something about it takes away from time you should be putting into securing your systems. Enjoy! Thursday, August 31, 2000, 12:19:12 PM, you wrote:
I still maintain that if you see a scan with fairly obvious malicious intent and you have the time (which probably most of us don't), report it. You may well be doing someone the favor of letting them know their box has been compromised. This isn't trigger-happy, this is seeing the neighbor's kid trying to break into cars, however incompetently, and giving the neighbor a friendly call knowing they probably don't want their kid doing this. Personally, I'd want to know.
SS> Generally what I do when I get a port scan is try my best to track it down SS> to a source using ARING and nslookup. More often than not the source is SS> some dynamically assigned adress on some huge network and is almost SS> impossible to trace to an individual. Ocassionally though I have had some SS> incidents go rather well. SS> One time I saw somebody trying to connect to RPC on my box which is very SS> much firewalled. This time the trace yielded a static IP address for SS> somebody's mail server. They were running a very old linux kernel (2.1.X) SS> and apparently hadn't done much for security patches and of course they SS> had been owned by somebody. I let them know what happened and they were SS> very greatful to know what had happened and even asked me for advice on SS> how to prevent it. SS> So, if you have the time, it's nice to track even random skip kiddy SS> scans. It probably doesn't matter to you but it might matter to the SS> person who owns the box on the other end of the scan. SS> ---Steve - -- Greg S. Wirth System Administrator CTO http://www.shoplasvegas.com CTO http://www.beladamar.com FreeBSD Help http://www.pclv.com/ruch/index.html -// FreeBSD: The Power To Serve \\-
Current thread:
- Re: A slap on the wrist...? Greg S. Wirth (Sep 01)
- <Possible follow-ups>
- Re: A slap on the wrist...? Greg A. Woods (Sep 01)