Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Code Red attacks

From: Erek Adams <erek () theadamsfamily net>
Date: Mon, 17 Sep 2001 17:33:02 -0700 (PDT)
On Tue, 18 Sep 2001, Greg Wright wrote:


I liked the idea of configuring the server to return data to an exploited
system that will patch the hole, however the potential legality issues
frighten me, however I wonder...

Isn't it possibly a little convoluted in that the exploited system that you
are 'putting' data on is actually requesting *something* from your server
initially. The action of 'putting data' is the serving of a request
initiated by the infected system.

If you were to put data on your web server system that stops CodeRed, and an
affected box attempted to scan for and pass a request to your server, then
the data that it passes back was not sent directly, but sent in response to
a request.

What is the general opinion on this?


Well, this has been hashed out at length last month on
vul-dev () securityfocus com.  I invite you to search the archives for what
others think...

But in short, IMHO it's a Bad Thing(tm).  If something else happens to the
server from your patch upload, then you are the one in the hotseat.  Yes, if
they can't patch a server, would they even notice you installing the patch?
Probably not.  But, if the corp IDS catches you and that IDS is owned by
someone else, your ass is in a sling.  "No, I didn't do anything wrong, I was
patching your server.  Well, yes I did upload code to it and reboot it, but I
was doing a good thing."  Big corps don't care.  They just want a scapegoat.

I for one, won't be a scapegoat. :)

Side note:  One topic of discussion was that CR uses blocking threads.  If you
configed a server or honeypot to hold the connection open you stop that
machine from infecting others.

Anyways, check out vul-dev for a lengthy discussion on this...

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: