[43795] in North American Network Operators' Group
Re: EXAMPLE: ### xxx Canada detected a penetration attempt from 209.123.x.229. Incident# xxxx
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Fri Oct 26 09:46:46 2001
Message-Id: <200110261345.f9QDj8Ug024921@foo-bar-baz.cc.vt.edu>
To: Alex Rubenstein <alex@nac.net>
Cc: nanog@nanog.org
In-Reply-To: Your message of "Fri, 26 Oct 2001 09:03:01 -0300."
<Pine.WNT.4.33.0110260902230.1388-100000@neon>
From: Valdis.Kletnieks@vt.edu
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="==_Exmh_-1605716084P";
micalg=pgp-sha1; protocol="application/pgp-signature"
Content-Transfer-Encoding: 7bit
Date: Fri, 26 Oct 2001 09:45:08 -0400
Errors-To: owner-nanog-outgoing@merit.edu
--==_Exmh_-1605716084P
Content-Type: text/plain; charset=us-ascii
On Fri, 26 Oct 2001 09:03:01 -0300, Alex Rubenstein <alex@nac.net> said:
> Kind of my point; SO WHAT THAT THIS PERSON WAS SCANNED? Is scanning
> actually an illegal activity? Was anything actually hacked, cracked, or
> 0wn3d?
Nope, it's not illegal (yet). But it might be suspicious...
> It's an absurd waste of resources to be emailed by automagic systems every
> time someone sends a stray packet.
Well, there's stray packets and there's stray packets...
> Source: 209.123.x.229
> Destination: Host-x.x.19.254
> Date: 26Oct2001
> Time: 4:50:23 (Local Calgary Time GMT-7)
> Service/Protocol: http
This could be suspicious *if* and *only if* Host-x.x.19.254 is known to
not be an http server. It may be totally innocuous - I've been known
to put http:// instead of ftp:// in a URL more than once myself.
Might be a user error at your site. Might be a misconfig at your site.
Might be a malicious user at your site. They don't know, and they can't
tell.
> Because we view this activity as possible intent to breach security, we
> ask you to review your logs and take appropriate action against the
> offending party responsible for this suspicious activity.
And they're correct - it *could* be. All they're asking is that you check
it out as per your procedures. If your procedures include hitting the big
button labeled "refile in trash", that's your decision. ;)
We send a lot of similar notes of our own (though usually it takes more than
one stray packet to get our attention), and we receive a lot of similar notes
about our users (goes with the territory, we're a large university). We
do what we feel is proper in response (any 'first report' we get that involves
our NTP servers gets an FAQ sent back, we don't often hear back again).
And we're happy to get the reports - we've had more than one incident where
we didn't know we had a problem until we had *multiple* sites reporting that
the *same* box at our site was poking their stuff....
--
Valdis Kletnieks
Operating Systems Analyst
Virginia Tech
--==_Exmh_-1605716084P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
Comment: Exmh version 2.5 07/13/2001
iQA/AwUBO9lo5HAt5Vm009ewEQKIBwCgrT5nBjlleChdQ45qISA1aNFdT/8AnReU
84D1spNG/cAEOBz/qqifWCyJ
=aLoG
-----END PGP SIGNATURE-----
--==_Exmh_-1605716084P--
