Security Basics mailing list archives

Re: RE: Incident response to being scanned

From: Bob Kelley <b0bk3ll3yjr () adelphia net>
Date: Sat, 26 Apr 2003 5:13:51 -0400

Yes. All patched, behind a sound firewall and IIS Lockdown.  It's a static site so URLScan works like a champ.

From: "Security News" <security () riggstar com>
Date: 2003/04/26 Sat AM 01:53:22 EDT
To: "Bob Kelley" <b0bk3ll3yjr () adelphia net>
Subject: RE: Incident response to being scanned

Heck yeah, report those folks to their ISPs.  Also, is your webserver locked
down, and I don't only mean security patches?

-----Original Message-----
From: Bob Kelley [mailto:b0bk3ll3yjr () adelphia net]
Sent: Friday, April 25, 2003 1:16 AM
To: security-basics () securityfocus com
Subject: Incident response to being scanned

In reviewing my firewall and web server logs, I see repeated attempts from
several ip addresses to scan my network as well as infect my webserver  with
code red.  The source addresses are not always the same.  I am  confident
that I don't have any holes in my firewall and my webserver is  up to date.
I perform weekly vulnerability scans of my equipment to make  sure I am
covered.   What is considered the best practice for dealing with these
incidents?  Should I be filing abuse reports with the ISPs of the source
IPs?  This  obviously takes time.  I am looking for a business case to
justify the  time spent responding.    Thanks

---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
world's premier event for IT and network security experts.  The two-day
Training features 6 hand-on courses on May 12-13 taught by professionals.
The two-day Briefings on May 14-15 features 24 top speakers with no vendor
sales pitches.  Deadline for the best rates is April 25.  Register today to
ensure your place.  http://www.securityfocus.com/BlackHat-security-basics
----------------------------------------------------------------------------



---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place.  http://www.securityfocus.com/BlackHat-security-basics 
----------------------------------------------------------------------------

Current thread:

Incident response to being scanned Bob Kelley (Apr 25)
- RE: Incident response to being scanned David Gillett (Apr 28)
- Re: Incident response to being scanned security () nuvox net (Apr 28)
- <Possible follow-ups>
- RE: Incident response to being scanned Fields, James (Apr 28)
- RE: Incident response to being scanned Allan Schon (Apr 28)
- Re: Incident response to being scanned H Carvey (Apr 28)
- Re: RE: Incident response to being scanned Bob Kelley (Apr 28)
  - RE: RE: Incident response to being scanned Security News (Apr 28)
- Re: Incident response to being scanned Paris Stone (Apr 28)
- Re: RE: Incident response to being scanned Frank Gearhart (Apr 29)