Security Incidents mailing list archives

Re: Template Admin Notification

From: Rick Ballard <Richard.Ballard () xwave com>
Date: Wed, 24 Jan 2001 17:16:32 -0400

Unless a scan has come from a cable modem ip or dialup, it is usually
safe to assume that it has come from a compromised system. If this is
the case, then the owners of the host system are in all probability
victims and not perpetrators. CC'ing their ISP, mentioning laws they
may have broken or making threats are useless and unwarranted in this
case. An attack from www.acme-insurance.com is not likely to have
been sent by an employee or with the knowledge of anyone at the
company. Your job is to let them know that one of their hosts has
been compromised. Sometimes I include URLs to pertinent CERT
advisories. A fairly high percentage of recipients reply with thanks,
saying that their machine was in fact compromised and has been taken
offline to be rebuilt.

In many cases I have been able to connect to a web server on the
source host and see that it is a newly installed linux or NT box with
the default web pages still in place.

Here is a typical note I have sent, usually to postmaster@whatever,
the whois system contact, and whatever names I find on their website.

=====================================
[ Subject: Compromised System ]

My network was scanned this afternoon for imap servers by someone
from a host of yours with IP address 111.112.113.86. It is extremely
likely that this machine has been compromised by hackers.

Please check into this.

Here is an excerpt from my logs. Times are Atlantic Daylight Time ( GMT-4 ).

Sep 15 15:52:53 wall kernel: IP fw-fwd deny eth1 TCP 111.112.113.86:8738 222.223.224.1:143
Sep 15 15:52:53 wall kernel: IP fw-fwd deny eth1 TCP 111.112.113.86:8794 222.223.224.2:143
Sep 15 15:52:53 wall kernel: IP fw-fwd deny eth1 TCP 111.112.113.86:8797 222.223.224.3:143
... [ hundreds omitted ]
Sep 15 15:52:53 wall kernel: IP fw-fwd deny eth1 TCP 111.112.113.86:8812 222.223.224.253:143
Sep 15 15:52:53 wall kernel: IP fw-fwd deny eth1 TCP 111.112.113.86:8739 222.223.224.254:143

Thank You.
--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Rick Ballard            Cell    : 902-483-0559
xwave solutions         Pager   : 902-458-6568
Halifax,Nova Scotia     Email   : Richard.Ballard () xwave com
Canada                  Timezone: Atlantic AST(GMT-4)/ADT(GMT-3)

Current thread:

Re: Template Admin Notification, (continued)
- - - Re: Template Admin Notification Jose Nazario (Jan 25)
  - Re: Template Admin Notification David Kennedy CISSP (Jan 25)
    - Re: Template Admin Notification Valdis Kletnieks (Jan 25)
- Re: Template Admin Notification Jay D. Dyson (Jan 24)
- Re: Template Admin Notification Glenn Forbes Fleming Larratt (Jan 24)
- Re: Template Admin Notification Kent Engström (Jan 24)
- Re: Template Admin Notification Oxenreider, Jeff (Jan 24)
- Re: Template Admin Notification Irwin R. Naumann (Jan 24)
- Re: Template Admin Notification Robert G. Ferrell (Jan 24)
  - Re: Template Admin Notification Jim Littlefield (Jan 24)
  - Re: Template Admin Notification Rick Ballard (Jan 24)
- Re: Template Admin Notification Timothy Lyons (Jan 24)
- Re: Template Admin Notification Tim (Jan 25)
  - Re: Template Admin Notification Glenn Forbes Fleming Larratt (Jan 25)
- Re: Template Admin Notification Dave Salovesh (Jan 25)
- Re: Template Admin Notification Irwin R. Naumann (Jan 25)
- Re: Template Admin Notification Forrester, Mike (Jan 25)
  - Re: Template Admin Notification Russell Fulton (Jan 25)
    - Unknown Broadcast Traffic claymore (Jan 29)
    - Re: Unknown Broadcast Traffic Daniel Martin (Jan 29)
- Re: Template Admin Notification Forrester, Mike (Jan 29)