[Snort-users] A case of beer on 63.204.135.168

ipfw sponix sponix2ipfw at ...125...
Fri Feb 22 19:06:03 EST 2002


<rant>
I'd have to follow John Sage <jsage at ...2022...> a bit on that one

Well, I'm just a bit tired of these idiots draining my bandwidth. I mean, 
its cut down to 3-20 attempts a day now, but when Nimda first came out we 
had a year old log file grow to three forths nimda logging in less than 4 
hours.

If I thought there was a snow balls chance ---- I'd start sending out bills 
to these people for monthly waisted bandwidth due to their ignorance...

Moral of the story is, if these people can't learn to operate there 
computers a bit they should box them up and donate them to one of my 
projects or something.


for the record, the posting of IP's and so forth is a bit overboard imho -- 
attempting to contact the person, or their ISP is best :)

well, take care
sponix
</rant>




>From: dr.kaos <dr.kaos at ...4970...>
>To: John Sage <jsage at ...2022...>, snort-users at lists.sourceforge.net
>Subject: Re: [Snort-users] A case of beer on 63.204.135.168
>Date: Fri, 22 Feb 2002 19:26:08 -0500
>
>On Friday 22 February 2002 07:04 pm, John Sage wrote:
>
> > I used to feel the same, back in November, maybe, but it's late
> > February 2002 and the incessant rain of Code Red/Nimda probes
> > continues unrelenting.
> >
> > My personal opinion about all the infected boxes that are clearly
> > utterly unmaintained by anyone is: "Screw 'em"
> >
> > I mean, these clowns are not paying a bit of attention to what they're
> > doing, and they're ignorant to the fact that their boxes are still
> > attempting to infect other clueless idiots^H^H^H^H^H^H people's boxes.
> >
> > Off with their heads!
>
>Fair enough. And for the most part, I agree with you and jeff both...
>however, since I do this for a living, I have to stand behind what I 
>preach.
>
>Surprisingly, there are still a large number of well-known commercial
>organizations like [name-removed] with security admins as clueless as our
>unsuspecting home IIS user. Problem is, if we post their names and IP's to
>the masses, we are in fact contributing to the possibility that their boxes
>will generate _more_ noise in our logs because of the increased probability
>that these infected hosts will be found.
>
>For instance, in Jeff's earlier post, he mentioned an open relay on port 25
>of the host he scanned. Anyone want to bet that someone saw that in the 
>post
>and uses the IP specified as a spam relay? I'm betting there's a pretty 
>good
>chance. And that just means more spam for you and me to killfile.
>
>I agree, off with their heads! But... I think the best way to decapitate 
>them
>is to let their ISP's know about the problem so the ISP's can take them
>offline till the problem is resolved. Then no more codered, no more nimda,
>and no more spam, at least from _one_ IP...
>
>./dr.k
>
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users




_________________________________________________________________
Chat with friends online, try MSN Messenger: http://messenger.msn.com





More information about the Snort-users mailing list