Security Basics mailing list archives
RE: what should I do when....
From: "Rivest, Philippe" <PRivest () transforce ca>
Date: Fri, 4 Jul 2008 10:42:51 -0400
What you have done should have been to follow your internal procedure for this kind of "suspicious activity". If you don't have one, one should be created and approved. Any how, doing a preliminary research is very good and not too much time consuming. Your next step should be to contact 1- The company that is probing you and give them the information you have. What kind of "attack" you have, since when and from where. 2- Advise that company to investigate and remediate to the "disturbing event". Tell them to contact you for info & upon completion. 3- Lastly if this gets out of hands I would suggest thinking of the ISP level as they are also responsible for some level of protection (if this is abusive for example). Anything you do should be documented with evidence of action and recommendation you do & take. This is very important to have as it show you did everything you could with due care and in a timely manner. Keep this evidence and back it up. Merci / Thanks Philippe Rivest, CEH Vérificateur interne en sécurité de l'information Courriel: Privest () transforce ca Téléphone: (514) 331-4417 www.transforce.ca Vous pourriez imprimer ce courriel, mais faire pousser un arbre c'est long. You could print this email, but it does takes a long time to grow trees. -----Message d'origine----- De : listbounce () securityfocus com [mailto:listbounce () securityfocus com] De la part de Jorge L. Vazquez Envoyé : 3 juillet 2008 22:05 À : security-basics; security-basics-sc.1207759308.halobnafecliebdpegpn-Jlvazquez825=gmail.com@sec urityfocus.com; security focus listbounce Objet : what should I do when.... for the last 2 days I've been getting lots of connections attempts on my firewall logs(ipcop firewall), from a specific ip based in Canada, the log is showing a * * NEW not SYN? it seems that someone is trying to initiate a connections, or may be a scan. Although the good thing is that the firewall is detecting them therefore stopping them, I'm getting worried of hacker activity, I've already done ip lookup, and dns whois query both of those point to ip and host in Canada it seems to be a company as I got their public website and also private network.....could anyone advice me what's the proper course of actions in this case?.... thanks Jorge L. Vazquez www.pctechtips.org
Current thread:
- what should I do when.... Jorge L. Vazquez (Jul 04)
- RE: what should I do when.... Rivest, Philippe (Jul 04)
- RE: what should I do when.... Sergio Castro (Jul 07)
- RE: what should I do when.... Rivest, Philippe (Jul 07)
- RE: what should I do when.... Sergio Castro (Jul 07)
- Message not available
- RE: what should I do when.... Sergio Castro (Jul 08)
- RE: what should I do when.... Weir, Jason (Jul 09)
- Re: what should I do when.... Ansgar -59cobalt- Wiechers (Jul 09)
- Re: what should I do when.... Adriel Desautels (Jul 10)
- Re: what should I do when.... Ansgar -59cobalt- Wiechers (Jul 10)
- Re: what should I do when.... Adriel Desautels (Jul 11)
- Re: what should I do when.... Ansgar -59cobalt- Wiechers (Jul 11)
- RE: what should I do when.... Rivest, Philippe (Jul 07)