On Thu, Feb 15, 2001 at 09:58:54AM -0600, Bret Hughes wrote:
> "Burke, Thomas G." wrote:
> >
> > If only we had a "Pit Bull" program that could bite them when the trespassed
> > in our yard, eh? :)
> I have been envisioing a program that would parse the logs for denied or
> rejected portscans do the DNS look up and build an email that I could
> send to sysops@whatever the lokup revealed. Anyone done this yet?
> I hesitate to automate the actual sending of the email since that could
> be used as a type of DOS against me and the domain in question.
> Additionally the program as I envision it would need to:
> keep track of sent or queued mails for a machine and not send another
> for a configurable time.
> Place the email in a hacker-drafts folder that could then be perused for
> your sending pleasure.
> more I am sure this task just go swapped out.
> Ideas any one?
This is generally a really BAD idea. I can explain why best by
telling the story of an actual event that occurred years ago.
A well known security expert (who really should have known better)
thought of this very bright idea. In his case, he armed his telnet port
to react to telnet attempts by displaying a very nasty banner to you warning
about attempting to hack into his system and then disconnected you. Then
his system put together an E-Mail message just as you described, complaining
loudly of someone at that site attempting to hack into his system and on
and on and on. His system then mailed that E-Mail to {postmaster,root,
security,abuse}@{host.domain,domain} as well as the POCs (Point of Contacts)
for the domain, the IP Address, and possibly even the owners of the name
servers responsible for the domain. In other words, he complained loud
and clear that he was offended by this attack and he was demanding that
they take action!
Word got out, as it always does, that this was there. Some
enterprising individuals (with an extremely warped sense of humor)
set up a web page with lots of nice enticing porno and web spider
bait, and other goodies. On that page were URL references to to his
site. They might have had a telnet: URL or they have done it with an
http: URL with port number 23 in the URL. One way to do this would be
to lace a number of <IMG SRC="http://URL:23/foo.jpg> or something similar.
Now they just sat back and waited for the web spiders to do their
work. A few weeks later, this individuals system is spewing forth
complaints like the big bang all over again. Since it was getting hit
from people viewing the page in a web browser, he was getting hit from
all over the world from sites which had no connection with the offending
web page. Needless to say, all those admins and POCs were NOT amused.
This same technique can be used to immitate a port scan for the
deliberate purpose of turning any of your reaction systems against you.
It can always be done. It has been done. It will be done again, I'm
sure...
Don't provide them with the very tools they can use to use against
you and embarass you.
> Bret
Mike
--
Michael H. Warfield | (770) 985-6132 | [EMAIL PROTECTED]
(The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
