[Dshield] New signature?

Mark Martin wolf at bescape.com
Sun Aug 12 18:32:39 GMT 2001


> -----Original Message-----
> From: dshield-admin at dshield.org [mailto:dshield-admin at dshield.org]On
> Behalf Of Greg Broiles
> Sent: Sunday, August 12, 2001 2:13 AM
> To: dshield at dshield.org
> Subject: Re: [Dshield] New signature?
>

> On the other hand, the only machines I've got exposed to the world are
> locked-down *BSD's, and I'm getting bored with playing worm whack-a-mole
> with logfiles, and have stopped watching this stuff carefully. It's
> interesting to watch the worm spread, but nothing I've seen has risen
> beyond the level of annoyance, and I don't think there's anything
> I can do
> to make unmotivated (or unwitting) Windows NT/2K sysadmins bring their
> systems up to a reasonable level of security such that they're not
> endangering (or annoying) their network neighbors.
>

I have gotten bored as well, and have trimmed down some of the logging
particular to port 80.  The problem I fear is that I may now miss some of
the script kiddies trying the backdoors (would be nice to know where they
are, at least), although that's probably going to be overwhelming to track
as well.  For me, CRII's headache is that there are still "manual" cracking
activities in all that log clutter -- CR just makes it that much harder to
track.

On that note, I've realized (duh) that there's an inherent evil in Gnutella,
much like IRC.  As soon as I run BearShare or similar, I get at least a
couple of portscans in the following hours.  Maybe there's a need/market for
an anonymous file transfer proxy service.  Anonymous in that it would act as
a broker for exchanges, protecting the parties from knowing each other's IP.
Gnutella, of course, throws your IP out there far and wide, and simply tells
would-be crackers that you're alive and well and here's where you can be
found.  I know security by obscurity is a pipe-dream, but there seems to be
a direct correlation to port scanning activities and my use of Bearshare.
Thank goodness I took the few months time to cement the hell out of my
OpenBSD firewall

I have to choke back the urge to attackcrack back to these dorks.  Sending
abuse@ emails seems so pointless as a means of rebuke.  And what's silly is
that when it's a cable modem, at least, the guilty cracker is so easy to
identify and point the finger at, since the connection is so static.  I wish
the laws were a little tighter, since it seems that when a portscan is
performed, the intent to do harm (i.e. conspiring to commit computer crime)
is so blatant that is is as if it were like a burglar trying to pick your
locks since he found your house.  Why should my virtual home be different
than my physical home?

Mark




More information about the list mailing list