Re: WORM FORENSICS?

[Gabriel Wachman <wachmang () pacbell net>]

----- Original Message -----
From: "Technical Support" <bob () dexis net>
To: "Jensenne Roculan" <jroculan () securityfocus com>;
<incidents () securityfocus com>
Cc: <forensics () securityfocus com>; <focus-ids () securityfocus com>
Sent: Tuesday, September 18, 2001 1:24 PM
Subject: WORM FORENSICS?


> I feel that any server attacking another is fair game to publish data
about it.
> Bob

In some cases, you may have a point, however can you be sure that the IP
from which you were attacked isn't just an unaware compromised host?  I was
hit numerous times with NIMDA today, all by hosts the admins of which most
likely had no idea they were being used. I agree that they have a
responsibility to patch their servers, but I don't think it's appropriate to
post their IPs, perform directory listings, or read log files. Not only is
it illegal, but it doesn't really accomplish much since you're attacking the
wrong person.

I do understand the feeling of being attacked, and I know it's really
tempting to launch a counter attack, especially since so many of the boxes
performing these attacks are wide open. This isn't meant to be
confrontational, but I feel that it's an important point to make.

Gabriel


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com