FW: Subseven Scans

[Rob Keown <Keown () MACDIRECT COM>]

I wanted to forward this private email sent from HC to me earlier today
(forwarded with his permission). I thought it had some very good things to
point-out about how this was handled.

I have reazlied that I could have done a better job of being objective, and
providing more data to the group (not specific data, just better overall
characterization and summary of the event). Rather than responding with
facts to an event that was unusual to me, I ignored everything I have
learned in forensic courses or, just plain security courses. 


Rob Keown




-----Original Message-----
From: H C [mailto:keydet89 () yahoo com]
Sent: Monday, August 12, 2002 4:52 PM
To: Rob Keown
Subject: RE: Subseven Scans


Rob,

Just something to keep in mind...as with any and just
about all posts to the Incidents list that involves
nothing more than SYN packets dropped at the firewall,
this thread is being built on a foundation of
assumptions...a house of cards, if you will.

Like all similar threads, it started with your post
about receiving a lot of scans.  Okay...you wanted to
know if anyone else was seeing that...no harm in that
at all.  But then we have assumptions about the
purpose of the scan, whether it was really a scan or
not, and assumptions about the sources of the scans
(ie, "infected zombies").  While all this makes for
good reading, the fact remains that...well, we don't
know any of this for sure.  In fact, there hasn't even
been a random sampling of the sources to determine a
percentage of those that may be "infected zombies", or
even what they're infected with.

I mention this only b/c I see this a lot in a course I
teach...Win2K Live Forensics.  Many people approach
incident response in a very similar
manner...assumptions are made early on that guide and
direct the follow-on steps of the examiner.  I have
dealt w/ situations such as these in my job...at one
point, I was looking into some "Tagged" FTP
directories, and an admin contacted the web hosting
customer directly to tell them that the SAM database
had been copied and cracked, and that the "hackers"
had gotten in by compromising the admin password. 
When I asked the admin why he'd sent that to a
customer, his response was "that's what hackers do." 
Of course, he couldn't explain to me how someone could
log in remotely if ACLs on both routers and firewalls
blocked remote access to ports 139 and 445.

Anyway...it's just a cost-benefit analysis, that's
all.  Sure, we can speculate and make assumptions
about what's going on...or we can gather hard data. 
If gathering hard data is too hard or too time
consuming, then maybe it's best just to drop the issue
all together.

--- Rob Keown <Keown () MACDIRECT COM> wrote:
> My research showed almost 95% of the traffic was
> coming from Korea...
>
> I would list the IP's but then they might be
> infected zombies so giving the
> list out is probably not a good idea.
----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS
> analyzer service.
> For more information on this free incident handling,
> management 
> and tracking system please see:
> http://aris.securityfocus.com


__________________________________________________
Do You Yahoo!?
HotJobs - Search Thousands of New Jobs
http://www.hotjobs.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com