RE: Incident response to being scanned

["David Gillett" <gillettdavid () fhda edu>]

> -----Original Message-----
> From: Bob Kelley [mailto:b0bk3ll3yjr () adelphia net]
>
> In reviewing my firewall and web server logs, I see repeated 
> attempts from  several ip addresses to scan my network as 
> well as infect my webserver  with code red.  The source 
> addresses are not always the same.  I am  confident that I 
> don't have any holes in my firewall and my webserver is  up 
> to date.  I perform weekly vulnerability scans of my 
> equipment to make  sure I am covered.   What is considered 
> the best practice for dealing with these incidents?  Should I 
> be filing abuse reports with the ISPs of the source IPs?  
> This  obviously takes time.  I am looking for a business case 
> to justify the  time spent responding.    Thanks

  If a machine is infected with Code Red at this point, it
probably means that there is nobody who

  (a) understands the problem, and
  (b) cares about fixing it, and
  (c) can be found using available tools like whois.

i.e., the best use of your time is to make sure you're not
vulnerable, and move on.

Dave Gillett



---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place.  http://www.securityfocus.com/BlackHat-security-basics 
----------------------------------------------------------------------------