On Tue, 2003-07-08 at 08:04, Steve Wright wrote:
Russell Fulton wrote:
Earlier this year I did a binge on machines in NZ that were infected by worms that spread via open shares. Since many of these are on dial up addresses it is impossible to tell if particular machines have been fixed [....]
IMO, ISPs who allow their customers to be part of the problem, are part of the problem themselves. Why are ISPs not scanning their customers machines, either as a service to the customer, or as a means to protect their network ?
Infected PCs on the Internet == SARs infected person in a university, so stop complaining and sort it out.
I'm not quite sure what you are getting at Steve, I have no way to "sort it out". I was reporting addresses from local ISPs that were scanning us and which appeared to be infected by worms. My comment was that it is difficult to work out if things are getting fixed for machines that change IPs all the time (like dialup machines). Anyway, with a little work I could completely automate reporting of addresses that are doing random scanning on various well known ports (e.g. udp 137, tcp 80, 139, 445 and udp 1343). These machines are almost certainly infected by worms and (IMHO ;-) should be off the 'Net until fixed (simply to protect the owners since many of these worms also install remote control backdoors). The reports could be sent out once a day with a single line per detection ( <first time> <last time> <ip> <ports being scanned>). Which ISPs would be interested in subscribing to this free service. BTW this won't happen straight away -- I'm on leave for two weeks (school holidays) and am currently wondering if I am going to get through the Desert Road tomorrow or if I should go down the west side of the mountains... -- Russell Fulton, Network Security Officer, The University of Auckland, New Zealand.