Attitude problem.

["Booth, David CWT-MSP" <dbooth () CARLSON COM>]

I am getting really annoyed at the attitude of many system managers to
reports of incidents. I'm not talking about the typical "your box
portscanned me" stuff that inexperienced blackICE users might generate, I'm
talking about serious reports with hard information indicating that a script
kiddie is at play on their network. I have received both kinds of reports
myself and can honestly say I have never failed to act upon this second
category. As far as I'm concerned that is part of being a responsible and
professional sysadmin - it seems some other folks dont share that view.

I recently contacted a bunch of admins to report 20+ possibly compromised
hosts that were being used to run an IRC botnet and were launching DoS
attacks including some that had hit my home firewall. I included firewall
logs where available and followed up passing on details of confirmed
compromises as they were received. There was a substantial body of evidence
to indicate that most of the 15 sites concerned had multiple root
compromises. The only reasons I'm not including it all here are to keep my
promise of confidentiality to those that did get back to me and to keep this
email to a reasonable length.

6 sites responded confirming they found and fixed compromised hosts, mostly
SGI machines with root compromises.

2 sites responded to say they were investigating but the kiddies toys are
still there 2 months later.

2 broadband service providers sent me a form-letter response and took no
action.

The rest of them did nothing and this script kiddie now has over 45 hosts in
his botnet...

Wonder how many of those he got from sniffing passwords on the sites where
the admins didnt wake up and smell the coffee when I first notified them?

Dave Booth
Everything here is my opinion, not my employers.