OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: dr.kaos (dr.kaoskaos.to)
Date: Fri Feb 22 2002 - 18:26:08 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    On Friday 22 February 2002 07:04 pm, John Sage wrote:

    > I used to feel the same, back in November, maybe, but it's late
    > February 2002 and the incessant rain of Code Red/Nimda probes
    > continues unrelenting.
    >
    > My personal opinion about all the infected boxes that are clearly
    > utterly unmaintained by anyone is: "Screw 'em"
    >
    > I mean, these clowns are not paying a bit of attention to what they're
    > doing, and they're ignorant to the fact that their boxes are still
    > attempting to infect other clueless idiots^H^H^H^H^H^H people's boxes.
    >
    > Off with their heads!

    Fair enough. And for the most part, I agree with you and jeff both...
    however, since I do this for a living, I have to stand behind what I preach.

    Surprisingly, there are still a large number of well-known commercial
    organizations like [name-removed] with security admins as clueless as our
    unsuspecting home IIS user. Problem is, if we post their names and IP's to
    the masses, we are in fact contributing to the possibility that their boxes
    will generate _more_ noise in our logs because of the increased probability
    that these infected hosts will be found.

    For instance, in Jeff's earlier post, he mentioned an open relay on port 25
    of the host he scanned. Anyone want to bet that someone saw that in the post
    and uses the IP specified as a spam relay? I'm betting there's a pretty good
    chance. And that just means more spam for you and me to killfile.

    I agree, off with their heads! But... I think the best way to decapitate them
    is to let their ISP's know about the problem so the ISP's can take them
    offline till the problem is resolved. Then no more codered, no more nimda,
    and no more spam, at least from _one_ IP...

    ./dr.k

    _______________________________________________
    Snort-users mailing list
    Snort-userslists.sourceforge.net
    Go to this URL to change user options or unsubscribe:
    https://lists.sourceforge.net/lists/listinfo/snort-users
    Snort-users list archive:
    http://www.geocrawler.com/redir-sf.php3?list=snort-users