FW: cultural questions from a newbie

[<support () nps-dc org>]

I think the majority of the infected boxes can be traced back to home
broadband users running unpatched MS software without a router betweeen
their cable/DSL modem and their WinME box. 'whitehat'/honeypot guys/gals
specifically limit the outgoing traffic from their tests.

Sending these infected users a notice would be like telling a turtle they've
got duck s**t on their shell: 1) they wouldn't really know what to make of
it, 2) there's not much the avg. user can do w/o taking the time to d/l the
canned fixes from MS, or Symantec, et al.  Which, if they had the
inclination/clue they'd done by now.

Maybe a Win.Messanger svc message to their IP that they're infected... Er
wait, they get those all day but to push viagra so they won't care, or trust
you.

Good luck.

Fernando

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Ricky Charlet
Sent: Tuesday, August 05, 2003 12:01 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] cultural questions from a newbie


Howdy,

        OK, I've had snort snorting on my system for about 4 days now. (by
the 
way, count this as a success report on Mac OSX 10.2.6 with snort 2.0.0, 
clean compile and install - no problems).

        So WOW! What a lot of attempted attacks there are! Yesterday alone I

have 14 attempted attacks and 24 attempted scans. For the 4 days the 
attacks have been overwhelmingly aimed at MS-SQL server and 
MS-ISS-ISAPI. The Rule descriptions (SIDs=2003 and 1243) say that the 
worms "Slammer" and "Code Rode" (respectively) used these 
vulnerabilities to propagate.

        So my initial (newbie) assessment is that there are many unpatched, 
infected systems out there. I would guess that most of the infected 
systems are run by sys-admins who want to be white-hat guys or gals but 
are simply unaware that they have an infection.

        My big question is: what can be done to help the admins of these 
infected systems? Because these attacks are against MS systems, sending 
an email to root@<IP_ADDRESS> is very unlikely to reach anyone. It 
seems to me that we would need the cooperation of each ISP to get a 
message to the owners of the infected systems. But sending a email to 
abuse@<ISP> seems a little extreme. Is there any current netequite in 
the snort community relating to how to get in touch with attacking 
systems under the assumption that the sysadmin would correct the 
infection if made aware of it?


---
Ricky Charlet
rcharlet () alumni calpoly edu
510.324.3163



-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data
Reports, E-commerce, Portals, and Forums are available now. Download today
and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users