OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Jay D. Dyson (jdysonTREACHERY.NET)
Date: Wed Jan 24 2001 - 15:43:47 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----

    On Wed, 24 Jan 2001, Alfred Huger wrote:

    > Does anyone on the list have a default template email they use to notify
    > admins of attacks from their networks?
    >
    > I would be interested in seeing them posted to the list (or to myself
    > directly if that's not possible).

            My template is pretty sparse compared to some. I stick with a
    "Jack Webb" approach (Just the facts, ma'am).

            I first receive the notice myself and, based on the severity of
    the scan or earnest nature of the attack, decide whether to forward it
    directly to the postmaster, abuse and security contacts, as well as
    those designated in the ARIN, APNIC, RIPE (et al) database.

            As an example, I scanned an internal system and generated this
    report:

    On Wed Jan 24 13:12:06 2001, the following scan was noted:

    Connect from host: 192.168.10.201/192.168.10.201 to TCP port: 23
    Connect from host: 192.168.10.201/192.168.10.201 to TCP port: 79
    Connect from host: 192.168.10.201/192.168.10.201 to TCP port: 81
    Connect from host: 192.168.10.201/192.168.10.201 to TCP port: 109
    Connect from host: 192.168.10.201/192.168.10.201 to UDP port: 161

    The owner of the offending network is identified in ARIN as:

    IANA (IANA-CBLK-RESERVED)
       Internet Assigned Numbers Authority
       Information Sciences Institute
       University of Southern California
       4676 Admiralty Way, Suite 330
       Marina del Rey, CA 90292-6695

       Netname: IANA-CBLK1
       Netblock: 192.168.0.0 - 192.168.255.255

       Coordinator:
          Internet Corporation for Assigned Names and Numbers (IANA-ARIN) ianaIANA.ORG
          (310) 823-9358

       Domain System inverse mapping provided by:

       BLACKHOLE.ISI.EDU 128.9.64.26
       BLACKHOLE.EP.NET 198.32.1.116

       These blocks are reserved for special purposes.
       Please see RFC 1918 for additional information.

       Record last updated on 30-Aug-2000.
       Database last updated on 24-Jan-2001 07:54:28 EDT.

    The ARIN Registration Services Host contains ONLY Internet
    Network Information: Networks, ASN's, and related POC's.
    Please use the whois server at rs.internic.net for DOMAIN related
    Information and whois.nic.mil for NIPRNET Information.

    - -Jay

       ( ______
       )) .-- "There's always time for a good cup of coffee" --. >===<--.
     C|~~| (>------- Jay D. Dyson -- jdysontreachery.net -------<) | = |-'
      `--' `------ ...You can have my absence of faith... ------' `-----'

    -----BEGIN PGP SIGNATURE-----
    Version: 2.6.2
    Comment: E-mail me for my PGP Public Key.

    iQCVAwUBOm9MmtCClfiU/BIVAQHqlwP/XmoWZ0GJ4jM8TmihCamYUeNTj/9P+HuU
    9KuEDmW7z41IQ6oGBRd4a6yoyaf+8Fe6dy1yOaA3mjxmLaWgH8E0YqO6d5bIY4eq
    DVNzec29NeAcfSAUQg88gHxcaNl4mgSvJBoCHnTNRuspulwvhOooSaHmLqmCh5wz
    yTJwAC9IRB8=
    =Nv+C
    -----END PGP SIGNATURE-----