|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: EXAMPLE: ### xxx Canada detected a penetration attempt from 209.123.x.229. Incident# xxxx
On Fri, 26 Oct 2001 09:03:01 -0300, Alex Rubenstein <[email protected]> said: > Kind of my point; SO WHAT THAT THIS PERSON WAS SCANNED? Is scanning > actually an illegal activity? Was anything actually hacked, cracked, or > 0wn3d? Nope, it's not illegal (yet). But it might be suspicious... > It's an absurd waste of resources to be emailed by automagic systems every > time someone sends a stray packet. Well, there's stray packets and there's stray packets... > Source: 209.123.x.229 > Destination: Host-x.x.19.254 > Date: 26Oct2001 > Time: 4:50:23 (Local Calgary Time GMT-7) > Service/Protocol: http This could be suspicious *if* and *only if* Host-x.x.19.254 is known to not be an http server. It may be totally innocuous - I've been known to put http:// instead of ftp:// in a URL more than once myself. Might be a user error at your site. Might be a misconfig at your site. Might be a malicious user at your site. They don't know, and they can't tell. > Because we view this activity as possible intent to breach security, we > ask you to review your logs and take appropriate action against the > offending party responsible for this suspicious activity. And they're correct - it *could* be. All they're asking is that you check it out as per your procedures. If your procedures include hitting the big button labeled "refile in trash", that's your decision. ;) We send a lot of similar notes of our own (though usually it takes more than one stray packet to get our attention), and we receive a lot of similar notes about our users (goes with the territory, we're a large university). We do what we feel is proper in response (any 'first report' we get that involves our NTP servers gets an FAQ sent back, we don't often hear back again). And we're happy to get the reports - we've had more than one incident where we didn't know we had a problem until we had *multiple* sites reporting that the *same* box at our site was poking their stuff.... -- Valdis Kletnieks Operating Systems Analyst Virginia Tech Attachment:
pgp00009.pgp
|