Security Basics mailing list archives
RE: what should I do when....
From: "Rivest, Philippe" <PRivest () transforce ca>
Date: Fri, 4 Jul 2008 10:42:51 -0400
What you have done should have been to follow your internal procedure for
this kind of "suspicious activity". If you don't have one, one should be
created and approved.
Any how, doing a preliminary research is very good and not too much time
consuming. Your next step should be to contact
1- The company that is probing you and give them the information you have.
What kind of "attack" you have, since when and from where.
2- Advise that company to investigate and remediate to the "disturbing
event". Tell them to contact you for info & upon completion.
3- Lastly if this gets out of hands I would suggest thinking of the ISP level
as they are also responsible for some level of protection (if this is abusive
for example).
Anything you do should be documented with evidence of action and
recommendation you do & take. This is very important to have as it show you
did everything you could with due care and in a timely manner. Keep this
evidence and back it up.
Merci / Thanks
Philippe Rivest, CEH
Vérificateur interne en sécurité de l'information
Courriel: Privest () transforce ca
Téléphone: (514) 331-4417
www.transforce.ca
Vous pourriez imprimer ce courriel, mais faire pousser un arbre c'est long.
You could print this email, but it does takes a long time to grow trees.
-----Message d'origine-----
De : listbounce () securityfocus com [mailto:listbounce () securityfocus com] De la
part de Jorge L. Vazquez
Envoyé : 3 juillet 2008 22:05
À : security-basics;
security-basics-sc.1207759308.halobnafecliebdpegpn-Jlvazquez825=gmail.com@sec
urityfocus.com; security focus listbounce
Objet : what should I do when....
for the last 2 days I've been getting lots of connections attempts on my
firewall logs(ipcop firewall), from a specific ip based in Canada, the
log is showing a
*
*
NEW not SYN?
it seems that someone is trying to initiate a connections, or may be a
scan. Although the good thing is that the firewall is detecting them
therefore stopping them, I'm getting worried of hacker activity, I've
already done ip lookup, and dns whois query both of those point to ip
and host in Canada it seems to be a company as I got their public
website and also private network.....could anyone advice me what's the
proper course of actions in this case?....
thanks
Jorge L. Vazquez
www.pctechtips.org
Current thread:
- what should I do when.... Jorge L. Vazquez (Jul 04)
- RE: what should I do when.... Rivest, Philippe (Jul 04)
- RE: what should I do when.... Sergio Castro (Jul 07)
- RE: what should I do when.... Rivest, Philippe (Jul 07)
- RE: what should I do when.... Sergio Castro (Jul 07)
- Message not available
- RE: what should I do when.... Sergio Castro (Jul 08)
- RE: what should I do when.... Weir, Jason (Jul 09)
- Re: what should I do when.... Ansgar -59cobalt- Wiechers (Jul 09)
- Re: what should I do when.... Adriel Desautels (Jul 10)
- Re: what should I do when.... Ansgar -59cobalt- Wiechers (Jul 10)
- Re: what should I do when.... Adriel Desautels (Jul 11)
- Re: what should I do when.... Ansgar -59cobalt- Wiechers (Jul 11)
- RE: what should I do when.... Rivest, Philippe (Jul 07)