Security Incidents mailing list archives
Re: Template Admin Notification
From: "Irwin R. Naumann" <irwin () THINKAGE CA>
Date: Wed, 24 Jan 2001 12:02:51 -0500
From owner-incidents () SECURITYFOCUS COM Wed Jan 24 11:19:54 2001 Approved-By: ah () SECURITYFOCUS COM Delivered-To: incidents () lists securityfocus com Delivered-To: incidents () securityfocus com X-Sender: <ah@mail> MIME-Version: 1.0 Content-Type> : > TEXT/PLAIN> ; > charset=US-ASCII> Date: Wed, 24 Jan 2001 08:09:38 -0800 Reply-To: Alfred Huger <ah () SECURITYFOCUS COM> Sender: Incidents Mailing List <INCIDENTS () SECURITYFOCUS COM> From: Alfred Huger <ah () SECURITYFOCUS COM> Subject: Template Admin Notification To: INCIDENTS () SECURITYFOCUS COM Content-Length: 262 Does anyone on the list have a default template email they use to notify admins of attacks from their networks? I would be interested in seeing them posted to the list (or to myself directly if that's not possible). Cheers, -al "Vae Victis" SecurityFocus.com
Al, this is the template I use. I haven't gotten around to making a Perl
script to generate it yet.
-----------------
Addressed to <>
Dear coordinator,
There was suspicious activity directed to
hosts on Thinkage's
the DNS servers on Thinkage's
10.235.67.0 network
172.16.234.0 network
10.235.67 and 172.16.234 networks
originating from the IP address xx.yy.xx.yy
which is allocated to kkk.
Perhaps xx.yy.xx.yy has been spoofed, has a curious/malicious user, or
itself has been compromised.
The attempts occurred on month day,2001 between start-time end-time EDT.
(Eastern Daylight Time is Greenwich Mean Time minus 4 hours GMT-0400.)
(Eastern Standard Time is Greenwich Mean Time minus 5 hours GMT-0500.)
I have enclosed TCPDUMP logs of all the activity directed to/from
xx.yy.xx.yy. As you can see there is no legitimate IP traffic other
than the attempts to exploit weaknesses on port .
A followup to this message would be appreciated.
Irwin Naumann, System Administrator, Thinkage Ltd., Kitchener,Ontario
Canada N2R 1H6 (519)895-1860 Ext. 203 irwin () thinkage com
-----------
I replace <> with the e-mail address of contact person in the "Addressed to"
field.
I choose one of the "hosts on Thinkage's" ... "10.235.67 and 172.16.234
networks".
ww.xx.yy.zz is the source IP address.
kkk is the data form a whois query.
month, day, year.
I choose one of the explanations of EDT or EST for !North American contacts.
------------
Contrived example:
Addressed to contact () example com
Dear coordinator,
There was suspicious activity directed to hosts on Thinkage's 172.16.234 network
originating from the IP address 192.0.2.219 which is allocated to
example.com
Example Ltd. (NET-EXAMPLE)
1234 Main Street
Nowhereville
Ontario, Q2Q 3Z1
CANADA
Netname: EXAMPLE
Netblock: 192.0.2.0 - 192.0.2.255
Coordinator:
Ontact, C (XXXX-ARIN) contact () EXAMPLE COM
+1 555 555 5555 x555
Domain System inverse mapping provided by:
NS1.EXAMPLE.COM 192.0.2.35
NS.SOMEISP.NET 10.235.2.77
Record last updated on 01-Nov-1993.
Database last updated on 24-Jan-2001 07:54:28 EDT.
The ARIN Registration Services Host contains ONLY Internet
Network Information: Networks, ASN's, and related POC's.
Please use the whois server at rs.internic.net for DOMAIN related
Information and whois.nic.mil for NIPRNET Information.
Perhaps 192.0.2.219 has been spoofed, has a curious/malicious user, or
itself has been compromised.
The attempts occurred on January 23,2001 between 14:07:00 and 14:07:09 EST.
(Eastern Standard Time is Greenwich Mean Time minus 5 hours GMT-0500.)
I have enclosed TCPDUMP logs of all the activity directed to/from
192.0.2.219. As you can see there is no legitimate IP traffic other
than the attempts to exploit weaknesses on port 110.
A followup to this message would be appreciated.
Irwin Naumann, System Administrator, Thinkage Ltd., Kitchener,Ontario
Canada N2R 1H6 (519)895-1860 Ext. 203 irwin () thinkage com
14:07:00.147015 64.4.14.76.3382 > 172.16.234.9.110: S 3002159064:3002159064(0) win 16384 <mss 1460,nop,nop,sackOK>
14:07:03.324522 64.4.14.76.3382 > 172.16.234.9.110: S 3002159064:3002159064(0) win 16384 <mss 1460,nop,nop,sackOK>
14:07:09.886300 64.4.14.76.3382 > 172.16.234.9.110: S 3002159064:3002159064(0) win 16384 <mss 1460,nop,nop,sackOK>
Current thread:
- Re: Template Admin Notification), (continued)
- Re: Template Admin Notification) David Kennedy CISSP (Jan 24)
- Re: Template Admin Notification Martin Hoz Salvador -CITI Soporte (Jan 24)
- Re: Template Admin Notification Terje Bless (Jan 25)
- Re: Template Admin Notification Jose Nazario (Jan 25)
- Re: Template Admin Notification David Kennedy CISSP (Jan 25)
- Re: Template Admin Notification Valdis Kletnieks (Jan 25)
- Re: Template Admin Notification Terje Bless (Jan 25)
- Re: Template Admin Notification Jay D. Dyson (Jan 24)
- Re: Template Admin Notification Glenn Forbes Fleming Larratt (Jan 24)
- Re: Template Admin Notification Kent Engström (Jan 24)
- Re: Template Admin Notification Oxenreider, Jeff (Jan 24)
- Re: Template Admin Notification Irwin R. Naumann (Jan 24)
- Re: Template Admin Notification Robert G. Ferrell (Jan 24)
- Re: Template Admin Notification Jim Littlefield (Jan 24)
- Re: Template Admin Notification Rick Ballard (Jan 24)
- Re: Template Admin Notification Timothy Lyons (Jan 24)
- Re: Template Admin Notification Tim (Jan 25)
- Re: Template Admin Notification Glenn Forbes Fleming Larratt (Jan 25)
- Re: Template Admin Notification Dave Salovesh (Jan 25)
- Re: Template Admin Notification Irwin R. Naumann (Jan 25)
- Re: Template Admin Notification Forrester, Mike (Jan 25)
- Re: Template Admin Notification Russell Fulton (Jan 25)
(Thread continues...)