Re: Interesting reply

[Rick Ballard <RB.MailLists () ns sympatico ca>]

On 16 Oct 2000, at 9:18, Keith Pachulski wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I have to disagree with this "people scanning is from a compromised
> system". In most cases it comes down to someone on their home account
> (dialup, DSl, cable) doing the scanning from their home PC which has
> not been compromised. Someone saying "my system has been compromised,
> I was not doing the scanning " is an easy way out of an account
> cancellation or legal ramifications which may follow from
> scanning/hacking activities. Best way to do it is three strikes and
> your out. If the same user account gets caught three times blackhole
> the user account.

I would say that if it a scan comes from a dialup account it is
probably not compromised and is probably just a wannabe script
kiddie, but if the ip is not a dialup then the box is very likely to have
been compromised. I have seen many scans coming from what
appeared to be newly installed Red Hat Linux boxes, usually with
the default apache home page. It only takes a minute to install a
rootkit on a box once it has been found to be exploitable.
--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Rick Ballard                    Rick.Ballard () ns sympatico ca
Halifax, Nova Scotia, Canada    http://www3.ns.sympatico.ca/Rick.Ballard