Security Incidents mailing list archives
Re: Template Admin Notification
From: Rick Ballard <Richard.Ballard () xwave com>
Date: Wed, 24 Jan 2001 17:16:32 -0400
Unless a scan has come from a cable modem ip or dialup, it is usually safe to assume that it has come from a compromised system. If this is the case, then the owners of the host system are in all probability victims and not perpetrators. CC'ing their ISP, mentioning laws they may have broken or making threats are useless and unwarranted in this case. An attack from www.acme-insurance.com is not likely to have been sent by an employee or with the knowledge of anyone at the company. Your job is to let them know that one of their hosts has been compromised. Sometimes I include URLs to pertinent CERT advisories. A fairly high percentage of recipients reply with thanks, saying that their machine was in fact compromised and has been taken offline to be rebuilt. In many cases I have been able to connect to a web server on the source host and see that it is a newly installed linux or NT box with the default web pages still in place. Here is a typical note I have sent, usually to postmaster@whatever, the whois system contact, and whatever names I find on their website. ===================================== [ Subject: Compromised System ] My network was scanned this afternoon for imap servers by someone from a host of yours with IP address 111.112.113.86. It is extremely likely that this machine has been compromised by hackers. Please check into this. Here is an excerpt from my logs. Times are Atlantic Daylight Time ( GMT-4 ). Sep 15 15:52:53 wall kernel: IP fw-fwd deny eth1 TCP 111.112.113.86:8738 222.223.224.1:143 Sep 15 15:52:53 wall kernel: IP fw-fwd deny eth1 TCP 111.112.113.86:8794 222.223.224.2:143 Sep 15 15:52:53 wall kernel: IP fw-fwd deny eth1 TCP 111.112.113.86:8797 222.223.224.3:143 ... [ hundreds omitted ] Sep 15 15:52:53 wall kernel: IP fw-fwd deny eth1 TCP 111.112.113.86:8812 222.223.224.253:143 Sep 15 15:52:53 wall kernel: IP fw-fwd deny eth1 TCP 111.112.113.86:8739 222.223.224.254:143 Thank You. -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Rick Ballard Cell : 902-483-0559 xwave solutions Pager : 902-458-6568 Halifax,Nova Scotia Email : Richard.Ballard () xwave com Canada Timezone: Atlantic AST(GMT-4)/ADT(GMT-3)
Current thread:
- Re: Template Admin Notification, (continued)
- Re: Template Admin Notification Jose Nazario (Jan 25)
- Re: Template Admin Notification David Kennedy CISSP (Jan 25)
- Re: Template Admin Notification Valdis Kletnieks (Jan 25)
- Re: Template Admin Notification Jay D. Dyson (Jan 24)
- Re: Template Admin Notification Glenn Forbes Fleming Larratt (Jan 24)
- Re: Template Admin Notification Kent Engström (Jan 24)
- Re: Template Admin Notification Oxenreider, Jeff (Jan 24)
- Re: Template Admin Notification Irwin R. Naumann (Jan 24)
- Re: Template Admin Notification Robert G. Ferrell (Jan 24)
- Re: Template Admin Notification Jim Littlefield (Jan 24)
- Re: Template Admin Notification Rick Ballard (Jan 24)
- Re: Template Admin Notification Timothy Lyons (Jan 24)
- Re: Template Admin Notification Tim (Jan 25)
- Re: Template Admin Notification Glenn Forbes Fleming Larratt (Jan 25)
- Re: Template Admin Notification Dave Salovesh (Jan 25)
- Re: Template Admin Notification Irwin R. Naumann (Jan 25)
- Re: Template Admin Notification Forrester, Mike (Jan 25)
- Re: Template Admin Notification Russell Fulton (Jan 25)
- Unknown Broadcast Traffic claymore (Jan 29)
- Re: Unknown Broadcast Traffic Daniel Martin (Jan 29)
- Re: Template Admin Notification Russell Fulton (Jan 25)
- Re: Template Admin Notification Forrester, Mike (Jan 29)