Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: dr.kaos (dr.kaoskaos.to)
Date: Fri Feb 22 2002 - 18:26:08 CST
On Friday 22 February 2002 07:04 pm, John Sage wrote:
> I used to feel the same, back in November, maybe, but it's late
> February 2002 and the incessant rain of Code Red/Nimda probes
> continues unrelenting.
> My personal opinion about all the infected boxes that are clearly
> utterly unmaintained by anyone is: "Screw 'em"
> I mean, these clowns are not paying a bit of attention to what they're
> doing, and they're ignorant to the fact that their boxes are still
> attempting to infect other clueless idiots^H^H^H^H^H^H people's boxes.
> Off with their heads!
Fair enough. And for the most part, I agree with you and jeff both...
however, since I do this for a living, I have to stand behind what I preach.
Surprisingly, there are still a large number of well-known commercial
organizations like [name-removed] with security admins as clueless as our
unsuspecting home IIS user. Problem is, if we post their names and IP's to
the masses, we are in fact contributing to the possibility that their boxes
will generate _more_ noise in our logs because of the increased probability
that these infected hosts will be found.
For instance, in Jeff's earlier post, he mentioned an open relay on port 25
of the host he scanned. Anyone want to bet that someone saw that in the post
and uses the IP specified as a spam relay? I'm betting there's a pretty good
chance. And that just means more spam for you and me to killfile.
I agree, off with their heads! But... I think the best way to decapitate them
is to let their ISP's know about the problem so the ISP's can take them
offline till the problem is resolved. Then no more codered, no more nimda,
and no more spam, at least from _one_ IP...
Snort-users mailing list
Go to this URL to change user options or unsubscribe:
Snort-users list archive: