A Broadband and ADSL forum. BroadbanterBanter

Welcome to BroadbanterBanter.

You are currently viewing as a guest which gives you limited access to view most discussions and other FREE features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload your own photos and access many other special features. Registration is fast, simple and absolutely free so please, join our community today.

Go Back   Home » BroadbanterBanter forum » Newsgroup Discussions » uk.telecom.broadband (UK broadband)
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

uk.telecom.broadband (UK broadband) (uk.telecom.broadband) Discussion of broadband services, technology and equipment as provided in the UK. Discussions of specific services based on ADSL, cable modems or other broadband technology are also on-topic. Advertising is not allowed.

Code Red, NIMDA and friends



 
 
Thread Tools Display Modes
  #1  
Old July 10th 03, 10:23 PM posted to uk.telecom.broadband
Clint Sharp
external usenet poster
 
Posts: 550
Default Code Red, NIMDA and friends

Yay, setting up webservers on a DSL line is a piece of cake, Redhat 9
and Apache on a PIII 500 works a treat.

Booo, I'm getting several scans/probes/attempted exploits every day
(been up three days and already had at least seven different IPs trying
it on)

Approximately 40-50 Red probes/scans which are, fairly obviously, going
to get nowhere but should I report them to the administrators of the
offending systems? I guess it's the right thing to do, but if they
haven't even bothered to clean and patch their systems isn't it going to
be a waste of my time?

Can you recommend a guide to security auditing so my machine doesn't get
used for more nefarious means?
--
Clint
  #2  
Old July 10th 03, 10:56 PM posted to uk.telecom.broadband
Laurence
external usenet poster
 
Posts: 1
Default Code Red, NIMDA and friends

Clint Sharp wrote:

Booo, I'm getting several scans/probes/attempted exploits every day


aol

Approximately 40-50 Red probes/scans which are, fairly obviously,
going to get nowhere but should I report them to the administrators
of the offending systems? I guess it's the right thing to do, but if
they haven't even bothered to clean and patch their systems isn't it
going to be a waste of my time?


If no one reports hack attempts, no one's gonna fix them. I've got a script
running on my server that sends max one report per IP per day to its best
guess for the admin address for the infected IP. So far out of about 175
reports I've had 3 responses from real people - one of which reported that
the affected system had been cleaned.

Laurence


  #3  
Old July 10th 03, 11:00 PM posted to uk.telecom.broadband
Martin Cooper
external usenet poster
 
Posts: 119
Default Code Red, NIMDA and friends

Clint Sharp wrote:

Yay, setting up webservers on a DSL line is a piece of cake, Redhat 9
and Apache on a PIII 500 works a treat.

Booo, I'm getting several scans/probes/attempted exploits every day
(been up three days and already had at least seven different IPs trying
it on)

Approximately 40-50 Red probes/scans which are, fairly obviously, going
to get nowhere but should I report them to the administrators of the
offending systems? I guess it's the right thing to do, but if they
haven't even bothered to clean and patch their systems isn't it going to
be a waste of my time?

Can you recommend a guide to security auditing so my machine doesn't get
used for more nefarious means?


That seems about normal. I ahve similar scans all the time on my /29. For
an idea of what's out there, see this summary of probes from my IDS for the
last 3 days http://charon.martinc.me.uk/Alerts.htm

Reporting these issues could very easily become a full time job, and these
stats are not unusual, they are the norm. I have seen similar levels of
scans for the past 18 months, and this does not include attempted relaying
through my mail server or the SPAM and virus infecxted MS security patches I
get sent. For the sake of your sanity, I would say to make sure you have a
decent firewall in place using iptables or similar, then just ignore it all.
You have better things to do with your time than to chase this lot up.

As your using linux, an excellent security auditing tool is nessus
(www.nessus.org). The linux security howto is also pretty good
(http://www.linuxsecurity.com/docs/LDP/Security-HOWTO/) and if you want to
keep track of what is going on, consider giving snort a try (www.snort.org).
The various documents here http://www.linuxsecurity.com/docs/ are also well
worth the read.

--

Martin
  #4  
Old July 10th 03, 11:37 PM posted to uk.telecom.broadband
Colin Wilson
external usenet poster
 
Posts: 138
Default Code Red, NIMDA and friends

Approximately 40-50 Red probes/scans which are, fairly obviously, going
to get nowhere but should I report them to the administrators of the
offending systems?


Wasn`t there a utility for Code Red that took advantage of the same
weakness in the remote infected machine to overwrite the virus with
benign code ?
  #5  
Old July 10th 03, 11:54 PM posted to uk.telecom.broadband
Stuart
external usenet poster
 
Posts: 44
Default Code Red, NIMDA and friends


"Laurence" wrote in message
...


If no one reports hack attempts, no one's gonna fix them. I've got a

script
running on my server that sends max one report per IP per day to its best
guess for the admin address for the infected IP. So far out of about 175
reports I've had 3 responses from real people - one of which reported that
the affected system had been cleaned.


Your best guess is also likely to be the same as the spammers. Our 'public'
admin addresses now have such a low s/n ratio that unexpected emails are
sadly lost...

Another cost of those vermin....

--
Stuart


  #6  
Old July 10th 03, 11:59 PM posted to uk.telecom.broadband
Mark&Lisa
external usenet poster
 
Posts: 46
Default Code Red, NIMDA and friends

Colin Wilson wrote:
Approximately 40-50 Red probes/scans which are, fairly obviously, going
to get nowhere but should I report them to the administrators of the
offending systems?



Wasn`t there a utility for Code Red that took advantage of the same
weakness in the remote infected machine to overwrite the virus with
benign code ?


http://grilli.net/codered/ ?

  #7  
Old July 11th 03, 12:27 AM posted to uk.telecom.broadband
Colin Wilson
external usenet poster
 
Posts: 138
Default Code Red, NIMDA and friends

Wasn`t there a utility for Code Red that took advantage of the same
weakness in the remote infected machine to overwrite the virus with
benign code ?

http://grilli.net/codered/ ?


It would probably be just as illegal as the original virus, if not
moreso, as you would know you were deliberately altering code on another
system without authorisation - probably well covered under the computer
misuse act.

Having said that...
  #8  
Old July 11th 03, 12:32 AM posted to uk.telecom.broadband
Mark&Lisa
external usenet poster
 
Posts: 46
Default Code Red, NIMDA and friends

Colin Wilson wrote:
Wasn`t there a utility for Code Red that took advantage of the same
weakness in the remote infected machine to overwrite the virus with
benign code ?


http://grilli.net/codered/ ?



It would probably be just as illegal as the original virus, if not
moreso, as you would know you were deliberately altering code on another
system without authorisation - probably well covered under the computer
misuse act.

Having said that...


that one just tries to pop up a message on the infected pc using net send

  #9  
Old July 11th 03, 01:35 AM posted to uk.telecom.broadband
Colin Wilson
external usenet poster
 
Posts: 138
Default Code Red, NIMDA and friends

Wasn`t there a utility for Code Red that took advantage of the same
weakness in the remote infected machine to overwrite the virus with
benign code ?

http://grilli.net/codered/ ?


I`m sure there was one that did a little more than display a popup...
  #10  
Old July 11th 03, 01:43 AM posted to uk.telecom.broadband
Colin Wilson
external usenet poster
 
Posts: 138
Default Code Red, NIMDA and friends

http://grilli.net/codered/ ?
It would probably be just as illegal as the original virus, if not
moreso, as you would know you were deliberately altering code on another
system without authorisation - probably well covered under the computer
misuse act.
Having said that...

that one just tries to pop up a message on the infected pc using net send


I don`t know how, but I just managed to make a complete arse out of
myself by managing to miss out a couple of lines of text I was thinking,
and didn`t put into recycled electrons :-}

I was trying to refer to the illicit "fix" that was out, which used the
flaw to patch it safe again }
 




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT +1. The time now is 10:51 PM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.Content Relevant URLs by vBSEO 2.4.0
Copyright 2004-2017 BroadbanterBanter.
The comments are property of their posters.