RE: CRIME Netcraft Ethics

From: Quinby, Kris (MED) (kris.quinby@private)
Date: Fri Jun 21 2002 - 11:08:01 PDT

  • Next message: Brent Tucker: "RE: CRIME Study: Open, closed source equally secure"

    I will agree with Brian in that Netcraft is not send requests that would
    determine whether or not an IIS web server is vulnerable to a specific
    exploit.  They are rather hitting as many web sites as possible to see
    how many of what vendors web servers are being used.
    
    ___________________________________________
    
    Kris Quinby, CISSP
    Systems Engineer - Data Center Operations
    GE Medical Systems Information Technologies
    Email: kris.quinby@private
    Phone: 503-531-7190
    Fax: 503-531-7003
      
    
    -----Original Message-----
    From: brvarin@private [mailto:brvarin@private]
    Sent: Friday, June 21, 2002 7:19 AM
    To: crime@private
    Subject: Re: CRIME Netcraft Ethics
    
    
    I'm fine with it. They aren't searching your box specifically to find
    out
    if you have a vulnerable machine, they are compiling stats on who runs
    what. If you don't like it, you can always remove header information and
    patch your machine. Does anyone have a problem with my IDS supplying me
    with a giant list of vulnerable IIS servers? With IIS, you don't need to
    scan to find vulnerable machines...they will come to you.
    
    
    
    
    
    
    From: "Jimmy S." <jimmys@private>@cs.pdx.edu on 06/20/2002 07:38 PM
    
    Sent by:  owner-crime@private
    
    
    
    To:   <crime@private>
    cc:
    bcc:
    
    
    Subject:  CRIME Netcraft Ethics
    
    
    Hi all,
    
       I would like to pose a question?  Does anyone else have a problem
    with
    Netcraft sweeping the web looking vulnerable servers to latest IIS
    buffer
    overflow?   Now I know that they are company that compiles statistics on
    internet usage but still, the idea of them having a huge database of IP
    addresses
    of vulnerable IIS servers reminds me of the purpose of most root kits
    once
    they
    are installed.  Which is to scan other servers looking for vulnerable
    IP's.
    Maybe I'm too
    paranoid or off base here but with the proper reverse DNS I can become
    an
    netcraft
    scanning agent myself.  If we are going to rely on reverse DNS to tell
    who
    is ok
    and
    who isn't then we will obviously get some with maliciously configured
    reverse
    DNS.
    
    Below is the hit I received in my web server log:
    
    22:20:13 195.92.95.61 - 80 GET /nonexistent.htr - 500 2148007941 471 161
    90550
    HTTP/1.0 www.myesn.com
    Mozilla/4.0+(compatible;+Netcraft+Webserver+Survey)
    -
    http://www.netcraft.com/Survey/
    
    
    Is anyone else ok with this practice?
    
    ================================================
    Jimmy Sadri  CISSP
    jimmys@private
    Systems Administrator/Webmaster                  webmaster@private
    Network Engineer/Security Consultant                      Myesn.com
    



    This archive was generated by hypermail 2b30 : Fri Jun 21 2002 - 11:45:29 PDT