Hi, On 26-Nov-01 Thomas Michael Wanka wrote:
Hi,
On 26 Nov 2001, at 13:40, Boris Lorenz wrote:
Oh, and I think Ralf Koch is quite right. Although it often helps to broaden your understanding of anti-cracker skills by setting up honeypots or active/passive retaliation systems (if your time allows), such techniques are of minor use in reality, and may cause problems if configured incorrectly.
Don't attack the attacker. Don't descent to their level.
I still get CodeRed/Nimda scans from about 10 different IP addresses a day. How about sending complaints along with the excerpts of the logfiles to the police and prosecuting authorities? At least in europe, if nothing else, if enough people did that, it would show them how much work the cybercrime act would mean for them! Not that I think it would change much.
The tools section of securityfocus.com contains a small utility called "codeblue" to scan your Apache logs for CodeRed I+II/Nimda attacks, and send mails to the admins of the (probably infected) hosts. This may not be the end-all and be-all of solutions, but it's a start. It's no good idea to transfer the logs to certain authorities without at least a quick preliminary information to the admin(s) of the responsible hosts. While there's a remote possibility to catch a downright evil attacker, chances are good to cause unwanted legal trouble by stirring up federal action against possibly innocent ppl.
mike
PS.: IMO, the EU cybercrime treaty simply is a joke, made up by lawyers, CEOs and heads of the software industries' big cheeses to install and maintain patterns of sueability. While this may help to give flocks of unemplyoed solicitors a job, it's of little to no use for the security community as a whole. Just my $0.02 (that's roughly 0.02278 Euros ;) )