TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
To the forum:
I started getting these about a year ago and it is definitely not a problem
with RS. I have researched about 50 of these with correlation software with
my firewall logs. And in contacting the Apache "owner" they have 100% found
their machine had been compromised and contain exploit / scanner software.
My recommendation, unless you are bored, haha, is correlate with your
firewall logs through a script or ISS Decisions and if blocked record it as
a success in the area of prevention and detection for the executives.
The #1 source appears to be from Korea.
BTW: If you research the source IP and they are a US based company (or
government), they have been most appreciative in knowing they have been
burned. Their responses are sometimes hilarious. ("What's a hacker?", "We
are a Secure ISP", "I just unplugged the power in my building, will that
protect me?").
Jim McConnell, CISSP, CISA, CISS
Manager
GTE Information Security - TSI
813-209-3740
mailto:[EMAIL PROTECTED]
SECRITY doesn't work without "U"
-----Original Message-----
From: Richard Sears [mailto:[EMAIL PROTECTED]]
Sent: Monday, July 31, 2000 2:44 PM
To: [EMAIL PROTECTED]
Subject: IPHalfScan detected from a Red Hat Linux's Apache Installation?
TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
problems!
----------------------------------------------------------------------------
I use ISS RealSecure 3.2. On numerous occasions I've gotten IPHalfScan
events detected one of my sensors, each time, from a different source and on
a different date. Investigation reveals that the sources of these events is,
what appears to be newly deployed Apache web servers (Test Page for Red Hat
Linux's Apache Installation.) There doesn't seem to be any malicious intent
behind these scans. Each time I get the scan it will go through all of the
class C addresses that we own. Does anyone know of a reason why these events
are occurring other than the possibility of rodent infestation? The RS
documentation says that false positives only include keep-alive timers for
certain "internet push" technologies. Does this mean that the "push" would
have to come from the source of the event or could it possibly be coming
from an entirely different source? Any insight into this type of anomaly, if
it is an anomaly, would be greatly appreciated.
Thanks,
Rick Sears
