Security Incidents mailing list archives
Attitude problem.
From: "Booth, David CWT-MSP" <dbooth () CARLSON COM>
Date: Thu, 21 Sep 2000 12:36:44 -0500
I am getting really annoyed at the attitude of many system managers to reports of incidents. I'm not talking about the typical "your box portscanned me" stuff that inexperienced blackICE users might generate, I'm talking about serious reports with hard information indicating that a script kiddie is at play on their network. I have received both kinds of reports myself and can honestly say I have never failed to act upon this second category. As far as I'm concerned that is part of being a responsible and professional sysadmin - it seems some other folks dont share that view. I recently contacted a bunch of admins to report 20+ possibly compromised hosts that were being used to run an IRC botnet and were launching DoS attacks including some that had hit my home firewall. I included firewall logs where available and followed up passing on details of confirmed compromises as they were received. There was a substantial body of evidence to indicate that most of the 15 sites concerned had multiple root compromises. The only reasons I'm not including it all here are to keep my promise of confidentiality to those that did get back to me and to keep this email to a reasonable length. 6 sites responded confirming they found and fixed compromised hosts, mostly SGI machines with root compromises. 2 sites responded to say they were investigating but the kiddies toys are still there 2 months later. 2 broadband service providers sent me a form-letter response and took no action. The rest of them did nothing and this script kiddie now has over 45 hosts in his botnet... Wonder how many of those he got from sniffing passwords on the sites where the admins didnt wake up and smell the coffee when I first notified them? Dave Booth Everything here is my opinion, not my employers.
Current thread:
- Attitude problem. Booth, David CWT-MSP (Sep 22)
- Re: Attitude problem. Greg A. Woods (Sep 24)
- <Possible follow-ups>
- Re: Attitude problem. Booth, David CWT-MSP (Sep 25)
- Re: Attitude problem. f4 (Sep 25)