probe backs? was Re: [INCIDENTS] Korea

[jose () BIOCSERVER BIOC CWRU EDU (Jose Nazario)]

On Fri, 28 Jan 2000, Kim Robert Blix wrote:

> And if I stumbled uppon a rootshell bound to a port on any machine that
> had recently been used to attack me, I sure would use it to investigate.
> I dont see *any* harm in that what so ever. the most likly reason for the
> shell being there is that the machine has been compromised and is used to
> launch attacks elsewhere. So by checking it out and then placing a
> phonecall you are doing them a favor.

> What you seems to be saying is that if your neighbours house and their
> door is wide open in the middle of the night, you should just move along.
> I'd sure stick my head in and ask if everything is allright.

to me, it's part of threat assessment to examine a machine that has been
making attacks or otherwise suspicious activity is a serious threat. on
most occassions it's a comprimised system. i usually include such info in
a report to the site admin (obtained from a whois lookup). i often do a
few telnets to odd ports (ie banner grabbing) and a quick nmap scan.

i doubt i'm the only one who does this (i know i'm not), and i often tell
people how to do it. is this frowned upon by the larger community? like
i said, i always include such info in my mail to the site/domain contact,
so they can dismiss it as administrative probes when they find it in their
logs.

thanks,

jose nazario                                    jose () biochemistry cwru edu
PGP fingerprint: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
Public key available at http://biocserver.cwru.edu/~jose/pgp-key.asc