Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: A case of beer on 63.204.135.168

From: "ipfw sponix" <sponix2ipfw () hotmail com>
Date: Fri, 22 Feb 2002 21:04:52 -0600
<rant>
I'd have to follow John Sage <jsage () finchhaven com> a bit on that one
Well, I'm just a bit tired of these idiots draining my bandwidth. I mean, its cut down to 3-20 attempts a day now, but when Nimda first came out we had a year old log file grow to three forths nimda logging in less than 4 hours.
If I thought there was a snow balls chance ---- I'd start sending out bills to these people for monthly waisted bandwidth due to their ignorance...
Moral of the story is, if these people can't learn to operate there computers a bit they should box them up and donate them to one of my projects or something.
for the record, the posting of IP's and so forth is a bit overboard imho -- attempting to contact the person, or their ISP is best :) 

well, take care
sponix
</rant>





From: dr.kaos <dr.kaos () kaos to>
To: John Sage <jsage () finchhaven com>, snort-users () lists sourceforge net
Subject: Re: [Snort-users] A case of beer on 63.204.135.168
Date: Fri, 22 Feb 2002 19:26:08 -0500

On Friday 22 February 2002 07:04 pm, John Sage wrote:

> I used to feel the same, back in November, maybe, but it's late
> February 2002 and the incessant rain of Code Red/Nimda probes
> continues unrelenting.
>
> My personal opinion about all the infected boxes that are clearly
> utterly unmaintained by anyone is: "Screw 'em"
>
> I mean, these clowns are not paying a bit of attention to what they're
> doing, and they're ignorant to the fact that their boxes are still
> attempting to infect other clueless idiots^H^H^H^H^H^H people's boxes.
>
> Off with their heads!

Fair enough. And for the most part, I agree with you and jeff both...
however, since I do this for a living, I have to stand behind what I preach. 

Surprisingly, there are still a large number of well-known commercial
organizations like [name-removed] with security admins as clueless as our
unsuspecting home IIS user. Problem is, if we post their names and IP's to
the masses, we are in fact contributing to the possibility that their boxes
will generate _more_ noise in our logs because of the increased probability
that these infected hosts will be found.

For instance, in Jeff's earlier post, he mentioned an open relay on port 25
of the host he scanned. Anyone want to bet that someone saw that in the post and uses the IP specified as a spam relay? I'm betting there's a pretty good 
chance. And that just means more spam for you and me to killfile.
I agree, off with their heads! But... I think the best way to decapitate them 
is to let their ISP's know about the problem so the ISP's can take them
offline till the problem is resolved. Then no more codered, no more nimda,
and no more spam, at least from _one_ IP...

./dr.k

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





_________________________________________________________________
Chat with friends online, try MSN Messenger: http://messenger.msn.com


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: