I wanted to forward this private email sent from HC to me earlier today (forwarded with his permission). I thought it had some very good things to point-out about how this was handled. I have reazlied that I could have done a better job of being objective, and providing more data to the group (not specific data, just better overall characterization and summary of the event). Rather than responding with facts to an event that was unusual to me, I ignored everything I have learned in forensic courses or, just plain security courses. Rob Keown -----Original Message----- From: H C [mailto:keydet89at_private] Sent: Monday, August 12, 2002 4:52 PM To: Rob Keown Subject: RE: Subseven Scans Rob, Just something to keep in mind...as with any and just about all posts to the Incidents list that involves nothing more than SYN packets dropped at the firewall, this thread is being built on a foundation of assumptions...a house of cards, if you will. Like all similar threads, it started with your post about receiving a lot of scans. Okay...you wanted to know if anyone else was seeing that...no harm in that at all. But then we have assumptions about the purpose of the scan, whether it was really a scan or not, and assumptions about the sources of the scans (ie, "infected zombies"). While all this makes for good reading, the fact remains that...well, we don't know any of this for sure. In fact, there hasn't even been a random sampling of the sources to determine a percentage of those that may be "infected zombies", or even what they're infected with. I mention this only b/c I see this a lot in a course I teach...Win2K Live Forensics. Many people approach incident response in a very similar manner...assumptions are made early on that guide and direct the follow-on steps of the examiner. I have dealt w/ situations such as these in my job...at one point, I was looking into some "Tagged" FTP directories, and an admin contacted the web hosting customer directly to tell them that the SAM database had been copied and cracked, and that the "hackers" had gotten in by compromising the admin password. When I asked the admin why he'd sent that to a customer, his response was "that's what hackers do." Of course, he couldn't explain to me how someone could log in remotely if ACLs on both routers and firewalls blocked remote access to ports 139 and 445. Anyway...it's just a cost-benefit analysis, that's all. Sure, we can speculate and make assumptions about what's going on...or we can gather hard data. If gathering hard data is too hard or too time consuming, then maybe it's best just to drop the issue all together. --- Rob Keown <Keownat_private> wrote: > My research showed almost 95% of the traffic was > coming from Korea... > > I would list the IP's but then they might be > infected zombies so giving the > list out is probably not a good idea. > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS > analyzer service. > For more information on this free incident handling, > management > and tracking system please see: > http://aris.securityfocus.com > __________________________________________________ Do You Yahoo!? HotJobs - Search Thousands of New Jobs http://www.hotjobs.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Aug 13 2002 - 08:36:55 PDT