Re: "suspicious" apache log entries

To: debian-security@lists.debian.org
Subject: Re: "suspicious" apache log entries
From: Geoff Crompton <geoff.crompton@bjhcontrols.com.au>
Date: Fri, 13 Sep 2002 12:43:21 +1000
Message-id: <[🔎] 20020913024321.GC2157@lovelace>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 20020913021437.GB2310@llama.nslug.ns.ca>
References: <[🔎] 20020912032447.GD31875@llama.nslug.ns.ca> <[🔎] 6D8E22F9-C620-11D6-B25D-00050285B655@ncpro.com> <[🔎] 20020912234226.GG1449@lovelace> <[🔎] 20020913021437.GB2310@llama.nslug.ns.ca>

  Ok. So it is good to warn owners of cracked boxes. Does that mean it
  is good for me to walk into a house that has been robbed, and write a
  note to the owner that it has been robbed?
  In this case the analogy doesn't work so well, as the owner is more
  likely going to notice that the place was done over. But in both cases
  (robbed house, cracked box) my actions to try and warn the owner were
  cases of illegal trespass.
  Contacting the owner in a non-illegal manner still seems more
  appropriate. If you are willing to go the trouble of exploiting a
  nimda hole, when it shouldn't be too much extra work to look at the
  web pages of the machine, and try and track down a used email address
  or something.

  I think you are opening yourself to unwarranted liability by secondary
  cases of cracking. The admin (or house owner) will see evidence of
  your activity, and there is nothing stopping them leaping to the
  conclusion that you were responsible for the initial attack. On the
  flip side, if it became an accepted practice, crackers could exploit a
  tactic of secondary exploitation and putting up warning messages after
  they have finished using the box.

  Besides, the admin shouldn't only re-install from trusted media.
  He/She should do some sort of analysis as to the nature of the attack,
  what was exploited, what further computers were exposed, and possibly
  feed this information on to either an appropriate law enforcement or
  organizations like AusCert so they know what sort of attacks are going 
  on. Secondary attacks do lead to more work in these areas.

  What you are saying does sound sort of reasonable. But it sounds like
  it would be easy to take it too far in vigilante type of way. The line
  gets very thin between 
   * make the computer beep and display a warning message
   * make the sound card play music and display a w4rn1n6 message
   * make the sound card play a voice over saying how stupid the owner
     is
   * makeing sure you delete all their files, so that potential real
     crackers can't steal them
  Each of these actions are supposedly for the benefit of the owner. But
  you don't know if they are really going to appreciate them.

  Cheers
  Geoff

On Thu, Sep 12, 2002 at 11:14:37PM -0300, Peter Cordes wrote:
  <snipped, to help prevent the extinction of those electronic trees>

Reply to:

References:
- Re: "suspicious" apache log entries
  - From: Peter Cordes <peter@llama.nslug.ns.ca>
- Re: "suspicious" apache log entries
  - From: Marcel Weber <mmweber@ncpro.com>
- Re: "suspicious" apache log entries
  - From: Geoff Crompton <geoff.crompton@bjhcontrols.com.au>
- Re: "suspicious" apache log entries
  - From: Peter Cordes <peter@llama.nslug.ns.ca>

Prev by Date: Re: "suspicious" apache log entries
Next by Date: Re: "suspicious" apache log entries
Previous by thread: Re: "suspicious" apache log entries
Next by thread: Re: "suspicious" apache log entries
Index(es):
- Date
- Thread