Snort mailing list archives
RE: Code Red attacks
From: Erek Adams <erek () theadamsfamily net>
Date: Mon, 17 Sep 2001 17:33:02 -0700 (PDT)
On Tue, 18 Sep 2001, Greg Wright wrote:
I liked the idea of configuring the server to return data to an exploited system that will patch the hole, however the potential legality issues frighten me, however I wonder... Isn't it possibly a little convoluted in that the exploited system that you are 'putting' data on is actually requesting *something* from your server initially. The action of 'putting data' is the serving of a request initiated by the infected system. If you were to put data on your web server system that stops CodeRed, and an affected box attempted to scan for and pass a request to your server, then the data that it passes back was not sent directly, but sent in response to a request. What is the general opinion on this?
Well, this has been hashed out at length last month on vul-dev () securityfocus com. I invite you to search the archives for what others think... But in short, IMHO it's a Bad Thing(tm). If something else happens to the server from your patch upload, then you are the one in the hotseat. Yes, if they can't patch a server, would they even notice you installing the patch? Probably not. But, if the corp IDS catches you and that IDS is owned by someone else, your ass is in a sling. "No, I didn't do anything wrong, I was patching your server. Well, yes I did upload code to it and reboot it, but I was doing a good thing." Big corps don't care. They just want a scapegoat. I for one, won't be a scapegoat. :) Side note: One topic of discussion was that CR uses blocking threads. If you configed a server or honeypot to hold the connection open you stop that machine from infecting others. Anyways, check out vul-dev for a lengthy discussion on this... ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Code Red attacks, (continued)
- RE: Code Red attacks Adrian Mink (Sep 18)
- RE: Code Red attacks Erek Adams (Sep 18)
- RE: Code Red attacks Gordon Ewasiuk (Sep 17)
- RE: Code Red attacks Jason Withrow (Sep 17)
- RE: Code Red attacks Greg Wright (Sep 17)
- RE: Code Red attacks Jason Withrow (Sep 17)
- RE: Code Red attacks Jason Withrow (Sep 17)
- RE: Code Red attacks Jason Withrow (Sep 17)
- RE: Code Red attacks Franki (Sep 18)
- Re: Code Red attacks Tim Olson (Sep 18)
- RE: Code Red attacks Jason Withrow (Sep 17)