Re: Not pulling the plug

[TMiller () NCIINC COM (Miller, Toby)]

I know this may a little late but this could be a sscan.

> -----Original Message-----
> From: Stephen Friedl [SMTP:friedl () MTNDEW COM]
> Sent: Wednesday, February 16, 2000 10:19 AM
> To:   INCIDENTS () SECURITYFOCUS COM
> Subject:      Not pulling the plug
>
> Hello all,
>
> For *two days*, an ADMROCKS-compromised machine in New Jersey has been
> doing
> a scan for TCP port 5 (what's this?), and the owner of the box refused to
> pull the plug while he fools with it. What's the best way to handle this?
>
> I spoke with him on Monday morning to let him know this is going on, and
> he
> had already been working on it, but another customer of mine got scanned
> again
> this morning, and he basically refuses to pull the plug.
>
> It is no crime to get hacked -- it happened to me -- but to leave a
> compromised
> machine on the network for two days seems like an arrogant and
> inconsiderate
> thing to your neighbors on the interent. I have sent a note with full logs
> to
> the upstream provider asking that this guy get cut off until he can
> properly
> secure his machine.
>
> Anybody who's been scanned by 12.3.24.2 (ns.rbscc.com) might wish to let
> the
> box owner know what you think about it:
>
>       RBS Computer Corporation
>       7 Short Hills Avenue
>       Short Hills, NJ 07078
>
>       (973) 379-3957 Voice
>       (973) 379-0751 Fax
>
> Steve
>
> ---
> Stephen J Friedl|Software Consultant|Tustin, CA|  +1 714 544-6561
> 3B2-kind-of-guy |I speak for me only|  KA8CMY  |steve () unixwiz net