Security Incidents mailing list archives

Re: Template Admin Notification

From: Kent Engström <kent () UNIT LIU SE>
Date: Thu, 25 Jan 2001 00:08:04 +0100

Alfred Huger <ah () SECURITYFOCUS COM> writes:

Does anyone on the list have a default template email they use to notify
admins of attacks from their networks?

I would be interested in seeing them posted to the list (or to myself
directly if that's not possible).


I use the following header for almost all complaints:

   The following incident was recorded in our log files.
   
   The occurence of this probe suggests that one of your computers has
   been cracked, or that one of your users is misbehaving.  Please
   investigate the incident.
   
   Log excerpts (times are in CET = UTC+1):


Often, I add some extra boilerplate for the common scans of port 111,
port 21, etc if the ultimate recipient is not likely to be an ISP or
something similar. Example:

   [+]  BACKGROUND INFORMATION ON PORT 111 (PORTMAP)
   [+]  
   [+]  A scan for portmappers (port 111 TCP/UDP) is most likely done in order
   [+]  to exploit one or several of the known exploits for RPC services
   [+]  (rpc.statd, sadmind, etc). Such exploits give the intruder root
   [+]  access to the compromised ("cracked") host.
   [+]  
   [+]  For the moment being, one of the most likely reasons for portmapper
   [+]  scanning is in preparation for exploiting rpc.statd on Linux boxes. See:
   [+]  
   [+]     http://www.cert.org/advisories/CA-2000-17.html
   [+]  
   [+]  If a host on your network is used to scan for portmappers , it most
   [+]  likely means that the host is compromised ("cracked") by somebody, or
   [+]  that a local user is stupid enough to run a vulnerability scanner on
   [+]  his own host. In either case, you should investigate.


Another interesting question is what addresses to use. My fuzzy ruleset
is something like:

- Check PTR for the IP. Mail abuse@domain where comain comes from
  this, but is not too low down that it's likely to be cracked
  (e.g. abuse () company com, not abuse () linuxserver foo company com)
  
  If the domain is a big ISP or similar, then I'm done. Otherwise:

- Add postmaster@domain too.

- Check ARIN/RIPE/APNIC/KRNIC for additional contact addresses.

- Add cert () certcc or kr if the domain ends in .kr

- If it appears necessary, do a traceroute, then add abuse@ immediate
  upstream ISP.


Regards,

-- 
Kent Engström,          Linköping University Incident Response Team
kent () unit liu se     abuse () liu se
+46 13 28 1744

UNIT, Linköping University; SE-581 83  LINKÖPING; SWEDEN

Current thread:

Template Admin Notification Alfred Huger (Jan 24)
- Re: Template Admin Notification) David Kennedy CISSP (Jan 24)
- Re: Template Admin Notification Martin Hoz Salvador -CITI Soporte (Jan 24)
  - Re: Template Admin Notification Terje Bless (Jan 25)
    - Re: Template Admin Notification Jose Nazario (Jan 25)
  - Re: Template Admin Notification David Kennedy CISSP (Jan 25)
    - Re: Template Admin Notification Valdis Kletnieks (Jan 25)
- Re: Template Admin Notification Jay D. Dyson (Jan 24)
- Re: Template Admin Notification Glenn Forbes Fleming Larratt (Jan 24)
- Re: Template Admin Notification Kent Engström (Jan 24)
- <Possible follow-ups>
- Re: Template Admin Notification Oxenreider, Jeff (Jan 24)
- Re: Template Admin Notification Irwin R. Naumann (Jan 24)
- Re: Template Admin Notification Robert G. Ferrell (Jan 24)
  - Re: Template Admin Notification Jim Littlefield (Jan 24)
  - Re: Template Admin Notification Rick Ballard (Jan 24)
- Re: Template Admin Notification Timothy Lyons (Jan 24)
- Re: Template Admin Notification Tim (Jan 25)
  - Re: Template Admin Notification Glenn Forbes Fleming Larratt (Jan 25)
- Re: Template Admin Notification Dave Salovesh (Jan 25)
- Re: Template Admin Notification Irwin R. Naumann (Jan 25)

(Thread continues...)