I went on vacation directly after this exchange. When I got back I
found that clear.net.nz had not responded meaningfully, but I also note
that I have seen no similar scans.
I would be far more comfortable if the Clear Net Abuse Team would
articulate a strong and meaningful position that cracking attempts
constitute network abuse and follow up on reports.
Chris Knox
According to Chris Knox:
>
>
> This response is unacceptable.
>
> It seems to me that if my neighbor complains that my kid is trying
> to find out whether he locks his doors at night, then I have a
> responsibility to take appropriate measures. Likewise, if I were to
> find that one of my users were probing the security at clear.net.nz,
> they could reasonably expect me to take some action (and I'm pretty
> sure that it would be a high priority). At the very least it would
> seem courteous to alert the user that something is amiss; as I
> understand it, BO can be running and the user can be unaware of it.
>
> I don't know what New Zealand's laws regarding computer security
> are, however this is an international company with strong presence
> in Australia. I'm sure that we could learn something about them if
> necessary.
>
> If this probing of my network from clear.net.nz continues, I will be
> forced to explore my options, including denying all access from your
> network to mine.
>
> Chris Knox
> Security Administrator
> Hypercom Corporation
>
> According to CLEAR Net Abuse Team:
> > From [EMAIL PROTECTED] Thu Jul 1 20:10:05 1999
> > Date: Fri, 02 Jul 1999 16:09:43 +1300
> > To: Chris Knox <[EMAIL PROTECTED]>
> > From: CLEAR Net Abuse Team <[EMAIL PROTECTED]>
> > Subject: Back Orifice (was Re: Possible Scan Originating from your
> > domain)
> >
> >
> > Thanks for reporting incident of Back Orifice scans that may have
> > emanated from our network.
> >
> >
> > As with any other kind of network based attack, we maintain that it is
> > the responsibility of the end user or their system administrator to
> > maintain security and integrity of their systems.
> >
> >
> > If your firewalls discarded BO scans, then they are doing their job. We
> > don't consider it worth investigating.
> >
> >
> > Sincerely,
> >
> > T Murugesh
> >
> > Clear Net Abuse Team
> >
> >
> > At 04:56 PM 30/6/99 -0700, you wrote:
> >
> > >
> >
> > >While dredging my firewall logs I discovered the appended lines. The
> > >destination address (dstaddr=) is my web server, www.hypercom.com. I
> > >can't say that some is up to no good, but it does appear that someone
> > >is rattling my doorknob. I'd appreciate your investigating.
> > >
> > >All times are Mountain Standard Time, GMT -7.
> >
> > >
> >
> > >Jun 28 19:24:04 firewall kernel: securityalert: no match found in
> > forward screen: TCP if=eb2 srcaddr=203.167.198.37 srcport=80
> > dstaddr=208.248.230.4 dstport=1198
> >
> > >Jun 28 19:24:05 firewall kernel: securityalert: no match found in
> > forward screen: TCP if=eb2 srcaddr=203.167.198.37 srcport=80
> > dstaddr=208.248.230.4 dstport=1200
> >
> > >Jun 28 19:24:08 firewall kernel: securityalert: no match found in
> > forward screen: TCP if=eb2 srcaddr=203.167.198.37 srcport=80
> > dstaddr=208.248.230.4 dstport=1201
> >
> [etc.]
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
--
Chris Knox [EMAIL PROTECTED]
Hypercom, Inc. (602) 504-5888
Unix Systems Support Speaking only for myself.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
