Joe:
I agree. I would add that one should verfiy that the scan was not part
of a larger more successful attack before following up on the detected
attempt. -AND- document the all events for future reference.
--
-----------------------------------------------------------------------
Dominick Glavach, IS Security/System Engineer [EMAIL PROTECTED]
Concurrent Technologies Corporation 814/269-2469
PGP fingerprint: F1 EB F3 DE 69 93 80 BF 00 14 77 E9 8B 61 A8 73
PGP Public Key : ftp.ctc.com/pub/PGP-keys/glavach.asc
-----------------------------------------------------------------------
On Mar 19, 7:33am, Joe Matusiewicz wrote:
> Subject: Re: Netbus Scanner Response ?
> I have to agree with Colin on this. We usually send some kind of notice to
> the Sysadm that we have been scanned by one of their systems. One time we
> reached the Sysadm while the scan was still going on and he told us he knew
> his box was compromised but couldn't stop the scan because it was a
> critical mail host and his managers didn't want an outage. He was,
> however, building a second box to replace his compromised host.
>
> Being scanned is just part of being a firewall administrator and there are
> no rules to go by, since, as far as I know, there are no laws against
> scanning someone's network. We were always being scanned, we just first
> noticed it when we put systems in place to detect it. If we get no
> response from the Sysadm and the scanning continues, we block the ISP's ip
> addresses at the border router.
>
> One caveat about reporting scans. It is possible to spoof the source ip
> address of the scan so there is always the small possibility that the scan
> did not originate from where your logs tells you. Which means pranksters
> can scan all of Netscape's domain and try to make it look like some host in
> microsoft.com did it. That's why when I report a scan, I basically say
> that "Our log indicates...."
>
> -- Joe
>
>
> At 10:36 AM 3/19/99 +1000, Colin Campbell wrote:
> >Hi,
> >
> >Our usual response to any "sustained" scanning (usually "mscan") goes
> >something like:
> >
> > One of our firewalls detected traffic from your site that indicates
> >
> > 1) you have a rogue user, or
> > 2) you have been hacked
> >
> > Logs of the activity are attached ....
> >
> >It is surprising how many replies we get saying, "yeah it was #2". When
> >it's #1 we normally get a response saying the user account has been
> >terminated. Most of the major ISPs of the world are good. We've only had
> >one MAJOR (in .au) ISP refusing to do anything unless we involved the
> >police. They claimed they had to protect the "privacy" of their clients.
> >
> >Colin
> >
> >On Thu, 18 Mar 1999, Joshua Chamas wrote:
> >
> >> Hi,
> >>
> >> I'm new to the firewall crowd, and don't know the proper response when
> >> what seems to be wannabe hackers doing a port scan of your subnet.
> >> In this case it was someone checking port 12345 which seems to be
> >> associated with the win32 trojan/virus NetBus.
> >>
> >> Since the kid was coming from AOL, I reported the incident to them,
> >> but what really should be the appropriate response. I kind of feel
> >> like is was a piece of spam I was reporting with how trivial
> >> the port scan was. Maybe I need to just accept these incidences
> >> as a natural part of maintaining a firewall ?
> >>
> >
> >-
> >[To unsubscribe, send mail to [EMAIL PROTECTED] with
> >"unsubscribe firewalls" in the body of the message.]
>
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>-- End of excerpt from Joe Matusiewicz
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
