Security Incidents mailing list archives
Re: WORM FORENSICS?
From: Gabriel Wachman <wachmang () pacbell net>
Date: Tue, 18 Sep 2001 17:26:07 -0700
----- Original Message ----- From: "Technical Support" <bob () dexis net> To: "Jensenne Roculan" <jroculan () securityfocus com>; <incidents () securityfocus com> Cc: <forensics () securityfocus com>; <focus-ids () securityfocus com> Sent: Tuesday, September 18, 2001 1:24 PM Subject: WORM FORENSICS?
I feel that any server attacking another is fair game to publish data
about it.
Bob
In some cases, you may have a point, however can you be sure that the IP from which you were attacked isn't just an unaware compromised host? I was hit numerous times with NIMDA today, all by hosts the admins of which most likely had no idea they were being used. I agree that they have a responsibility to patch their servers, but I don't think it's appropriate to post their IPs, perform directory listings, or read log files. Not only is it illegal, but it doesn't really accomplish much since you're attacking the wrong person. I do understand the feeling of being attacked, and I know it's really tempting to launch a counter attack, especially since so many of the boxes performing these attacks are wide open. This isn't meant to be confrontational, but I feel that it's an important point to make. Gabriel ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- WORM FORENSICS? Technical Support (Sep 18)
- Re: WORM FORENSICS? Gabriel Wachman (Sep 18)