On Fri, 7 Jul 2000, Ron DuFresne wrote:
> We've found that at least notifying and 'complaining' of the scans or
> intrusion attempts can help a site realise they have a compromised machine
> or two, so far, out of 8 notifications this week 4 have been confirmed, or
> at least claimed to have been compromised.
In the years that I did a significant ammount that, only about three sites
didn't claim to have been compromised even when they weren't (There was a
.mil site that had an overeager to "experiment" Petty Officer, a copy of
Netscape with a synflooding bug, and a campus with their DNS IP address
reversed.)
Now, most assuredly there were a large number of sites that *were*
compromised, but it's one of those excuses you'll want to take it with a
grain of salt (I always tended to want to do extra logging of their
netblocks for a while.)
Heck, you even hear "someone must have stolen my password" from people
who's home phone numbers you've subpoena'd out of their ISP's dial-up
logs, (once they find this out, it switches to "my kid must have done
it!")
Most places do only notice compromises when a 3rd pary informs them
though. That's a place where we need significant work. I thought I saw
something about tripwire being GPL'd the other day, maybe it's time to
start pressuring vendors to ship with it enabled?
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
