Jake -- It all depends on the hole. The lion may no longer be
interested... But I still agree with your point. --dk
On Thu, 12 May 2005, Jake-F Harwood wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> At 01:21 PM 5/12/2005 -0700, Tom Holub wrote:
> >On Thu, May 12, 2005 at 11:13:13AM -0700, Jake-F Harwood wrote:
> >
> >If the hackers are actually accomplishing anything (that is, if their
> >FTP server or back door is available to the net), SNS should be able
> >to scan for them.
> >
> >--
>
>
> that is very much like sticking your head in a hole, to keep from being
> eaten by a lion.
>
> hears an example thats not too uncommon. ,
>
> you got hacked, (you can pick how),
>
> the payload installs multiple evil things, like
>
> ftp server, (seen on the network, and thr IDS)
>
> Ident server, (seen on the network, and thr IDS)
>
> key collector and password sniffer which sends it's results back thr
> emaill, http posts, or DNS quares, (not seen on the network, but seen thr IDS)
>
> and a back door that is available to the net (seen on the network. old
> school.) or maybe a back door that uses some type of back connection to
> bypass host basded firewalls. (like hacke defender, or the like, new
> school). (not seen on the network, but seen thr IDS)
>
> in that example, your still hosted any way you look at it.
>
> the ftp servers there, but unusable, We (SNS would most likely see it get
> installed, but would thr iout the alert as a false positives)
>
> if we cant scan the hosts, not only can we tell if theres something up, but
> we cant even tell what OS it is, which also help weed out false positives
> based on OS matching to attacks.
>
> we have pull some passive OS fingerprint stuff into play (and we do), but
> when I or any of the other IDS team are working on alerts, sometimes you
> just need to scan a host to see whats up.
>
> seem's like a lot of good info thr out because your worried about having
> the security groups scanner IP spooffed.
>
> so are your going to block that DNS server allso, I hear theres holes for
> that too.
>
> doesn't that same risk exesict with the holes poked for the campus DNS
> servers?
>
> - -F
>
>
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 8.1
>
> iQEVAwUBQoPGbSIJRNHUFoUuAQK7PAf9FaSWWsQZx/8HcZnb3fJkdv4a5R1gUQqT
> 61y4DaeOvkMWMzNmjvMmgInsFzPVO+iI2o+tXIr5uDbRfL48H9ngTZmdb9kpo7td
> SrNLn4MgU9yOpC/px7+ogULi0Ft3c6+XgE/OjBQGen1G45znw3VqMhpgIPQYnnA9
> qsBw+SFztOEMmZaIORib8De/5UvZxeW1WPPJ2wcKHXsnFZOscocuKYGOyCWQis1r
> ezvZYjbT5QzIJfrp9WFAVvvlSPyvVfLEacQWXp3+THMdQZ6PLEKY9bnnGnf5T98f
> z8Boam0r0jg3/bQJCPrg8szFJ3s/Ute2MgGmIjUuEZ6LaUAxi8ZNzA==
> =zIgb
> -----END PGP SIGNATURE-----
>
>
> ------------------------------------------------------------------------
> The following was automatically added to this message by the list server:
>
> For information about Micronet, including subscribing to
> or unsubscribing from its mailing list and finding out
> about upcoming meetings, please visit the Micronet Web site:
> <http://micronet.berkeley.edu/>.
>
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.berkeley.edu/>.
Received on Thu May 12 17:27:15 2005
This archive was generated by hypermail 2.1.8 : Thu May 12 2005 - 17:27:16 PDT