How do you handle client contact for network abuse/malware compaints etc.?
Hello As a sort of addendum to the thread of "Quarantine your infected users spreading malware" I am curious how other handle contact to the users/clients for network security incidents. The question I have is; When someone reports an incident to you about one of your clients (a user or server owner) possibly being infected, having an owned box being used for hacking into other servers or being used to spread malware, how much information do you send/forward on to that user/client to support your case. Is it normal practice to simply forward on unaltered logs sent in by those complaining or do you sanitize them a bit to protect the people notifying you? Do you even send them at all at first or do you simply inform them that a complaint has been received. In short, how much information do you pass on to support yourself and when. Thanks Nicole Harrington -- |\ __ /| (`\ | o_o |__ ) ) // \\ - nmh@daemontech.com - Powered by FreeBSD - ------------------------------------------------------ "The term "daemons" is a Judeo-Christian pejorative. Such processes will now be known as "spiritual guides" - Politicaly Correct UNIX Page
On 3/1/06, Nicole Harrington <nmh@daemontech.com> wrote: ...
In short, how much information do you pass on to support yourself and when.
We've found that a simple "we've received complaints about you and your machine. Go here (symantec, fsecure, windowsupdate, etc) and patch your machine." works pretty well. By and large, everyone replies back with "yeah, I was missing X, Y, and Z patches" or "I found such-and-such virus and disinfected it". Maybe one in a few thousand asks for logs. When the user asks for logs, we're pretty forthcoming with them. They might just have the same info in their windows/norton/whatever logs already. In short, we tell them they have a problem, give them the tools to fix it, and if asked will show them the complaint, but usually that buck stops with us. CK -- GDB has a 'break' feature; why doesn't it have 'fix' too?
Nicole Harrington wrote:
Hello As a sort of addendum to the thread of "Quarantine your infected users spreading malware" I am curious how other handle contact to the users/clients for network security incidents.
The question I have is; When someone reports an incident to you about one of your clients (a user or server owner) possibly being infected, having an owned box being used for hacking into other servers or being used to spread malware, how much information do you send/forward on to that user/client to support your case.
Is it normal practice to simply forward on unaltered logs sent in by those complaining or do you sanitize them a bit to protect the people notifying you? Do you even send them at all at first or do you simply inform them that a complaint has been received.
In short, how much information do you pass on to support yourself and when.
Thanks
Nicole Harrington
All depends on the client and if I think the abuse is intentional or not. If the user knows what he/she is doing and I don't think they are being malicious then I will send them everything. If I think they are doing it on purpose I send enough to prove my case and tell them to knock it off - before I knock it off for them (or after - depends on how much damage they are causing). If they don't have a clue then sending them a bunch of information they won't understand is pointless. We either help them clean up the mess or refer them to someone who can. -- Mark Radabaugh Amplex mark@amplex.net 419.837.5015
All depends on the client and if I think the abuse is intentional or not.
If the user knows what he/she is doing and I don't think they are being malicious then I will send them everything.
If I think they are doing it on purpose I send enough to prove my case and tell them to knock it off - before I knock it off for them (or after - depends on how much damage they are causing).
If they don't have a clue then sending them a bunch of information they won't understand is pointless. We either help them clean up the mess or refer them to someone who can.
Ditto here on all the above. Too often it falls under the latter category it seems. Since we're in the hosting/colo business PHP web forms seem to be the vast majority of issues lately. I'd love to know what cluebats or magic bullets are available for whacking this particular mole most effectively. --chuck goolsbee digital.forest
participants (4)
-
Chris Kuethe -
chuck goolsbee -
Mark Radabaugh -
Nicole Harrington