Snort mailing list archives
Re: A case of beer on 63.204.135.168
From: "ipfw sponix" <sponix2ipfw () hotmail com>
Date: Fri, 22 Feb 2002 21:04:52 -0600
<rant> I'd have to follow John Sage <jsage () finchhaven com> a bit on that oneWell, I'm just a bit tired of these idiots draining my bandwidth. I mean, its cut down to 3-20 attempts a day now, but when Nimda first came out we had a year old log file grow to three forths nimda logging in less than 4 hours.
If I thought there was a snow balls chance ---- I'd start sending out bills to these people for monthly waisted bandwidth due to their ignorance...
Moral of the story is, if these people can't learn to operate there computers a bit they should box them up and donate them to one of my projects or something.
for the record, the posting of IP's and so forth is a bit overboard imho -- attempting to contact the person, or their ISP is best :)
well, take care sponix </rant>
From: dr.kaos <dr.kaos () kaos to> To: John Sage <jsage () finchhaven com>, snort-users () lists sourceforge net Subject: Re: [Snort-users] A case of beer on 63.204.135.168 Date: Fri, 22 Feb 2002 19:26:08 -0500 On Friday 22 February 2002 07:04 pm, John Sage wrote: > I used to feel the same, back in November, maybe, but it's late > February 2002 and the incessant rain of Code Red/Nimda probes > continues unrelenting. > > My personal opinion about all the infected boxes that are clearly > utterly unmaintained by anyone is: "Screw 'em" > > I mean, these clowns are not paying a bit of attention to what they're > doing, and they're ignorant to the fact that their boxes are still > attempting to infect other clueless idiots^H^H^H^H^H^H people's boxes. > > Off with their heads! Fair enough. And for the most part, I agree with you and jeff both...however, since I do this for a living, I have to stand behind what I preach.Surprisingly, there are still a large number of well-known commercial organizations like [name-removed] with security admins as clueless as our unsuspecting home IIS user. Problem is, if we post their names and IP's to the masses, we are in fact contributing to the possibility that their boxes will generate _more_ noise in our logs because of the increased probability that these infected hosts will be found. For instance, in Jeff's earlier post, he mentioned an open relay on port 25of the host he scanned. Anyone want to bet that someone saw that in the post and uses the IP specified as a spam relay? I'm betting there's a pretty goodchance. And that just means more spam for you and me to killfile.I agree, off with their heads! But... I think the best way to decapitate themis to let their ISP's know about the problem so the ISP's can take them offline till the problem is resolved. Then no more codered, no more nimda, and no more spam, at least from _one_ IP... ./dr.k _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_________________________________________________________________ Chat with friends online, try MSN Messenger: http://messenger.msn.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: A case of beer on 63.204.135.168 ipfw sponix (Feb 22)