Security Incidents mailing list archives
Ehm... what? (Re: Simultaneous Attacks)
From: martin.macok () UNDERGROUND CZ (Martin Macok)
Date: Tue, 11 Jul 2000 10:44:49 +0200
On Fri, Jul 07, 2000 at 02:39:08PM -0700, Ryan Russell wrote:
On Fri, 7 Jul 2000, Harlan S. Barney, Jr. wrote:Today I have detected three simultaneous intrusions into my computer. I report ALL intrusions and expect maximum penalties.
scan != intrusion
Well, that's the problem we keep going around and around about. What you saw was a probe. Probes aren't illegal.
YES! Anytime I here about mass blackholing some ISP (or worst wanting them taking legal actions) for 'letting' their users to do portscanning or just simple connecting somewhere it hurts me. Unless it really stress your line/traffic it's legal and normal ... don't care it. Unless someone really breaks into your private don't care it. The information about if you're running ftpd, telnetd, httpd, smbd, pop3d and which versions aren't apriori private. If you plugged your computer into Internet ... hey, you did it, this is Internet/TCPIP! - you can always fix your network/hosts to not provide such information if you really don't want them propagate. (firewalls, daemons, hosts(allow|deny), fix your security!) - your security is almost on your own, fix it. writing email complaints doesn't make you more secure ... and security is our matter, isn't? (fix your own network, don't fix the world) - you can't be sure about IP's in your syslog, they can be faked. - if you are afraid of such scans the problem is somewhere else. - be paranoid, expect troubles, but don't make false alarms. - remember, when it comes to REAL intrusion, you will not find anything interesting in your local syslog ;-) (secure your network against real hackers then don't bother about funny script kiddies) However, it could be good idea _inform_ ISP about scans, especially when they are being repeated from there just for their information. They could trace back one bad boy (or girl? ;-} ) and they could also be compromised well ... I mean: blackhole what you want on your firewall (you have some, haven't you?) but don't shout out ".xy is a hord of portscanners and assassins, everyone must backhole it." Don't expect ISP to jail users for portscanning. It's not a crime nor bad thing. Have a nice day :!nmap -O $YOUR_IP # just curious -- < Martin Maèok martin.macok () underground cz <iso-8859-2> \\ http://kocour.ms.mff.cuni.cz/~macok/ http://underground.cz/ // \\\ -= t.r.u.s.t n.0 o.n.e =- /// <HR NOSHADE> <UL> <LI>application/pgp-signature attachment: stored </UL>
Current thread:
- Re: scan log and subsequent response from the host's ISP, (continued)
- Re: scan log and subsequent response from the host's ISP Talisker (Jul 10)
- Re: scan log and subsequent response from the host's ISP Pauel Loshkin (Jul 05)
- how to close security holes from nessus vulnerability scan report ? Chew Poh Chang (CAPL) (Jul 06)
- Snort SMTP expn-root Oxenreider, Jeff (Jul 06)
- Re: Snort SMTP expn-root Joe McAlerney (Jul 06)
- Re: Snort SMTP expn-root Bill Pennington (Jul 06)
- Re: Snort SMTP expn-root dyer (Jul 06)
- Simultaneous Attacks Harlan S. Barney, Jr. (Jul 06)
- Re: Simultaneous Attacks Valdis Kletnieks (Jul 07)
- Re: Simultaneous Attacks Ryan Russell (Jul 07)
- Ehm... what? (Re: Simultaneous Attacks) Martin Macok (Jul 11)
- Re: Simultaneous Attacks Richard Bejtlich (Jul 11)
- Re: scan log and subsequent response from the host's ISP Ejovi Nuwere (Jul 06)
- Re: scan log and subsequent response from the host's ISP Brooke, O'Neil (Jul 06)
- Re: scan log and subsequent response from the host's ISP Jason Storm (Jul 07)
- 6200/tcp Werner Iknaroff-Zhikovsky (Jul 09)
- Re: scan log and subsequent response from the host's ISP Michal Nazarewicz (Jul 07)
- Re: scan log and subsequent response from the host's ISP Dan Hollis (Jul 07)
- Re: scan log and subsequent response from the host's ISP Michal Nazarewicz (Jul 07)
- Re: scan log and subsequent response from the host's ISP Osvaldo Janeri Filho (Jul 10)
- Intrusion, WuFTP exploit? David Knaack (Jul 07)
- Re: scan log and subsequent response from the host's ISP Dan Hollis (Jul 07)