[thelist] Security & Being a Webmaster

Erik Bennett ebennett at ecasd.k12.wi.us
Thu Aug 15 14:54:01 CDT 2002 

I have a couple of questions I wanted to put to the community about security
from a webmaster's point of view and hopefully get some ideas on what I'm
asking.

I deal with ~35 websites for our school district. I'm not involved in the
everyday design and maintenance per se... but I am responsible for
maintaining all of the logs. In doing so, some questions have been raised in
my mind.

NIMDA & Code Red II - Right now, I'm logging between 100 & 200 hits from
these a day. I've noticed a trend though in my logs... And since I don't
know much about how each of these work, maybe the answer is right in front
of me. Code Red II usually comes in one hit/one website a day from multiple
IP addresses. Rarely do I see a Code Red II scan hit more than one of our
sites from the same IP. NIMDA on the other hand, I've notice two distinct
differences. In one instance, a NIMDA scan will hit all of our web sites
once from one IP, or it will hit one of our web sites ~16 times looking for
different exploits. What I'm curious is, are those two differences the
difference between a computer infected with NIMDA and someone looking to
exploit holes in a NIMDA affected server?

Consequently, all of this logging has raised other issues in my mind. I use
Analog & ReportMagic to format my logs, and QuickDNS to resolve the IPs. For
those IPs that don't resolve, I use Name.Space's sWhois to find the IP block
owner. Now NIMDA and Code Red II are not the only hits we get, we also get
hit with people looking for formmail exploits. My second question is this:
Do I have a responsibility to let someone know when a NIMDA/Code
Red/formmail comes from their IP address? As it stands now, I have been
letting the ISP's know of the formmail attempts since this is a deliberate
scan of our system. But the sheer volume of Code Red II/NIMDA hits would add
hours of emailing to my day. How do any of you on the list handle this kind
of stuff?

Kinda long-winded - here's a summary of my questions:

1. Is there a difference in the types of scans I get hit with from NIMDA or
Code Red II that can tell me whether it's the virus or someone looking to
exploit?
2. Do I have a responsibility to let someone know when a NIMDA/Code
Red/formmail comes from their IP address?
3. How do any of you that have to deal with logs like this handle these
situations?

Thanks in advance guys. I always appreciate the help and insights!

Erik


------------------------------------------------------
Erik Bennett
ECASD Webmaster			Network Accounts
ebennett at ecasd.k12.wi.us	accounts at ecasd.k12.wi.us
http://www.ecasd.k12.wi.us	http://www.ecasd.k12.wi.us/webmaster/accounts

500 Main Street			Phone: 715-839-6290 x551
Eau Claire, WI 54701		Fax:    715-833-3481

More information about the thelist mailing list