Hi,
Our usual response to any "sustained" scanning (usually "mscan") goes
something like:
One of our firewalls detected traffic from your site that indicates
1) you have a rogue user, or
2) you have been hacked
Logs of the activity are attached ....
It is surprising how many replies we get saying, "yeah it was #2". When
it's #1 we normally get a response saying the user account has been
terminated. Most of the major ISPs of the world are good. We've only had
one MAJOR (in .au) ISP refusing to do anything unless we involved the
police. They claimed they had to protect the "privacy" of their clients.
Colin
On Thu, 18 Mar 1999, Joshua Chamas wrote:
> Hi,
>
> I'm new to the firewall crowd, and don't know the proper response when
> what seems to be wannabe hackers doing a port scan of your subnet.
> In this case it was someone checking port 12345 which seems to be
> associated with the win32 trojan/virus NetBus.
>
> Since the kid was coming from AOL, I reported the incident to them,
> but what really should be the appropriate response. I kind of feel
> like is was a piece of spam I was reporting with how trivial
> the port scan was. Maybe I need to just accept these incidences
> as a natural part of maintaining a firewall ?
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
