Yay, setting up webservers on a DSL line is a piece of cake, Redhat 9
and Apache on a PIII 500 works a treat.

Booo, I'm getting several scans/probes/attempted exploits every day
(been up three days and already had at least seven different IPs trying
it on)

Approximately 40-50 Red probes/scans which are, fairly obviously, going
to get nowhere but should I report them to the administrators of the
offending systems? I guess it's the right thing to do, but if they
haven't even bothered to clean and patch their systems isn't it going to
be a waste of my time?

Can you recommend a guide to security auditing so my machine doesn't get
used for more nefarious means?
--
Clint

Clint Sharp <clint@clintsmc.demon.co.uk> wrote:
<aol>

If no one reports hack attempts, no one's gonna fix them. I've got a script
running on my server that sends max one report per IP per day to its best
guess for the admin address for the infected IP. So far out of about 175
reports I've had 3 responses from real people - one of which reported that
the affected system had been cleaned.

Laurence

Clint Sharp <clint@clintsmc.demon.co.uk> wrote:

That seems about normal. I ahve similar scans all the time on my /29. For
an idea of what's out there, see this summary of probes from my IDS for the
last 3 days http://charon.martinc.me.uk/Alerts.htm

Reporting these issues could very easily become a full time job, and these
stats are not unusual, they are the norm. I have seen similar levels of
scans for the past 18 months, and this does not include attempted relaying
through my mail server or the SPAM and virus infecxted MS security patches I
get sent. For the sake of your sanity, I would say to make sure you have a
decent firewall in place using iptables or similar, then just ignore it all.
You have better things to do with your time than to chase this lot up.

As your using linux, an excellent security auditing tool is nessus
(www.nessus.org). The linux security howto is also pretty good
(http://www.linuxsecurity.com/docs/LDP/Security-HOWTO/) and if you want to
keep track of what is going on, consider giving snort a try (www.snort.org).
The various documents here http://www.linuxsecurity.com/docs/ are also well
worth the read.

--

Martin

Wasn`t there a utility for Code Red that took advantage of the same
weakness in the remote infected machine to overwrite the virus with
benign code ?

"Laurence" <ljng@hbbs.orgX.COM> wrote in message
news:3f0dd4ff$0$45184$65c69314@mercury.nildram.net ...

Your best guess is also likely to be the same as the spammers. Our 'public'
admin addresses now have such a low s/n ratio that unexpected emails are
sadly lost...

Another cost of those vermin....

--
Stuart

Colin Wilson wrote:
http://grilli.net/codered/ ?

It would probably be just as illegal as the original virus, if not
moreso, as you would know you were deliberately altering code on another
system without authorisation - probably well covered under the computer
misuse act.

Having said that...

Colin Wilson wrote:
that one just tries to pop up a message on the infected pc using net send

I`m sure there was one that did a little more than display a popup...

I don`t know how, but I just managed to make a complete arse out of
myself by managing to miss out a couple of lines of text I was thinking,
and didn`t put into recycled electrons :-}

I was trying to refer to the illicit "fix" that was out, which used the
flaw to patch it safe again }