[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

RE: "suspicious" apache log entries

What seems to be missed in this thread is the fact that Nimda is not limited
to running on servers.  Of all the machines that have used Nimda style
probing against my IP address in the last week, not one has been a server.
None of the machines respond to port 80.  None of these machines have DNS or
WHOIS records other than for the ISP who owns the IP block.

Perhaps things are different in other IP blocks.  But in the block my
machines are in, it appears that the infected machines are most likely
desktops without virus protection.

I find it unfathomable that significant numbers of servers currently exist
which have not already been patched by now.  The patch has been available
for over 2 years now.

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bulletin/ms00-057.asp

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bulletin/ms00-078.asp


If we accept that the vast majority of machines which are currently infected
with Nimda are desktop machines without Web servers we are left with a few
questions:

  1.  How would one "break in"?

      Using the same exploit as Nimda would most likely involve
      sending the owner an e-mail.  This is problematic because the
      e-mail address is not known.  If the e-mail address were known,
      we could just send the owner an e-mail.  (Although the owner
      is probably already overwhelmed with bounces and what not because
      their machine is infected with Nimda...)

  2.  Who should the compromise be reported to?

      It is unlikely that any of these machines have SMTP servers running
      so the direct approach will fail.  There are no WHOIS/DNS records
      for the compromised machines, only the ISPs.  It is likely that
      many compromised hosts do not even have static IP addresses
      requiring the ISP to look through logs to determine who had a given
      IP address at a given time.


-----Original Message-----
From: Andreas Syka [mailto:asyska@db-media.de]
Sent: Friday, September 13, 2002 2:20 AM
To: debian-security@lists.debian.org
Subject: Re: "suspicious" apache log entries


----- Original Message -----

From: "Geoff Crompton" <geoff.crompton@bjhcontrols.com.au>

To: <debian-security@lists.debian.org>

Sent: Friday, September 13, 2002 1:42 AM

Subject: Re: "suspicious" apache log entries


>   I can see that sending an email is an approriate legal, and
>   responsible course of action.
>   However to make his servers beep, you still need to perform an illegal
>   act of cracking into his box. Regardless of what you intend to do when
>   you get in there, it is still unauthorized access to the computer. If
>   it is legal to crack a box for 'good' reasons, what do you think the
>   real crackers will say there were doing if they get caught?



Ok, we had some posts saying that getting into someone's box and

making some noise to get the admins attention is comparable with walking in

someone house, sitting on the owners sofa and waiting / leaving a note on
the

wall to tell him someone broke in - both is illegal unauthorized access.

Now that the owner is on holiday, his house is burning and my house is next
to him

I should call the fire brigade to at least protect my own house and the
police

- as I've seen someone who put the house on fire.



Writing emails to them did work up to now and the owner is still not
reachable too.

The police is not interested - because there is a border between my house

and the burning one. I should try to contact the police "over there".



Right, its a bit stupid to use such comparison - but its somehow fun too.

The person on holiday is just called "standard M$-certified admin".



>   Unless we could popularise running a 'alert-me-if-my-box-is-screwy'
>   daemon, which when it receives a message it beeps, displays a message,
>   and keeps beeping until an operator acks the message.



Even ISPs do not really care about beeping boxed. When I carried my first
holy

4U-server to my ISP last year, I was really shocked. Tons of beeping
RAID-cards /

power-supplies. They never would hear mine. And its really not a small ISP

(I guess the smaller ones would be able to act properly).



IMO the only proper solution would be to notify the person mentioned in the

RIPE-handle / Domain-handle and hope that someone is going to react.

Everything else is playing fire- policeman. Or some kind of self protection.



>   Cheers
>   Geoff



best regards

Andreas




--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
Reply to: