jp
Premium
join:2000-05-18
Fountain Hills, AZ
|  Report formats to ISPs
How do most of you format your probe/hack reports to ISPs? Anyone using a template that seems to get good responses from ISPs?
I have been doing some cutting and pasting of info into blank emails but it would be nice to see what others are doing.
--
Argue for your limitations, and sure enough,they are yours |
|
Gigantopithi
join:2000-08-08
Homewood, IL
clubs: 
| Pizzicar:
Below is what I have been using recently for netbios (port 137) connection attempts. So far, out of about sixty abuse letters this week, I have recieved five personal responses back. Most of the time, regardless how you word the e-mail, you will get an automated response. What is important, however, is that you include the suspect log entries, that you state your time zone, and that you consider what is going on to be a security threat.
Subject:
Possible hack (or worm/trojan infection): One of your customers is looking for netbios entry point to my computer
Body:
Dear SomeISP System Administrator,
Today there were several attempts coming from one of your ip addresses to connect to my netbios port (137) on my firewall. There is ABSOLUTELY NO REASON why someone from your ip address should attempt a connection to my netbios (the port doesn't exits on my linux gateway/firewall). Given that the netbios port is a frequently hacked port, I believe that this may have been an unsophisticated hack attempt. Another explanation could be that your customer is infected with a worm or trojan. While I feel comfortable
that no damage was done, it still concerns me. As you know, we must always take security and possible break-in attempts very seriously. Therefore, I am sending you the pertinent information below as collected in my logs to aid
in your investigation. Thank you for your assistance in this important matter. Please note that the time of day is Central (US) time.
Sincerely,
Gig
---------paste log entry here-------------------
Nov 12 06:47:32 kernel: Packet log: input REJECT eth0 PROTO=17
213.xxx.xxx.xxx:1041 216.xxx.xxx.xxx:137 L=78 S=0x00 I=29465 F=0x0000 T=44 (#81)
Nov 12 06:47:37 kernel: Packet log: input REJECT eth0 PROTO=17
213.xxx.xxx.xxx:1041 216.xxx.xxx.xxx:137 L=78 S=0x00 I=32537 F=0x0000 T=44 (#81)
Nov 12 06:47:51 kernel: Packet log: input REJECT eth0 PROTO=17
213.xxx.xxx.xxx:1041 216.xxx.xxx.xxx:137 L=78 S=0x00 I=37401 F=0x0000 T=44 (#81)
Nov 12 06:48:17 kernel: Packet log: input REJECT eth0 PROTO=17
213.xxx.xxx.xxx:1041 216.xxx.xxx.xxx:137 L=78 S=0x00 I=40473 F=0x0000 T=44 (#81)
Nov 12 06:48:52 kernel: Packet log: input REJECT eth0 PROTO=17
213.xxx.xxx.xxx:1041 216.xxx.xxx.xxx:137 L=78 S=0x00 I=44057 F=0x0000 T=44 (#81)
--
***your friendly neighborhood linux dood***
[text was edited by author 2000-11-12 20:08:06] |
|
jp
Premium
join:2000-05-18
Fountain Hills, AZ
| Gigantopithicus (almost broke my keyboard on that one  )
Very nice layout - Thanks for taking the time!
John
--
Argue for your limitations, and sure enough,they are yours |
|
Gigantopithi
join:2000-08-08
Homewood, IL
clubs: | Just call me Gig |
|
2kmaro
Think
Premium,ExMod 1 BC
join:2000-07-11
ColossalCave
clubs:
| As said by the Big G: important things are copies of your log entries (which make some firewalls as HackTracer hard, if not impossible, to use), if the time is other than GMT you must indicate it unless that info is part of the log entries. You should state that you consider it to be suspicious or such in it's nature, and if you have a clue as to what is going on, I include it to give some of the clueless ISPs a little help.
Here is the 'standard' format my own homebuilt reporting tool generates and sends. Boldface type are the 'variable' pieces of it, the items that may change (or even not be included) depending on the circumstances.
-----------------------
Dear Sir or Ms.,
My firewall provided information about an attempted intrusion into my system from an IP that it appears you provide ISP service for. I consider the attempted intrusion suspicious and request that you investigate it in accordance with your Acceptable Use Policy or Terms of Service agreement or other use management documents as appropriate.
The user was identified via reverse DNS lookup as:
port-64-1953272-daa21266iml001.devices.datareturn.net
PLEASE NOTE - I have records of 2 PRIOR attempted intrusions from this IP.
The details of the intrusion attempt(s) are as follow:
SOURCE/INTRUDER IP: 64.29.205.248
ZoneAlarm Basic Logging Client v2.1.44
Windows NT-5.0.2195-Service Pack 1-SP
type,date,time,source,destination,transport
FWIN,2000/11/12,11:59:38 -6:00 GMT,64.29.205.248:20,24.14.xx.xx:1566,TCP
If I can be of any further assistance in this matter, please do not hesitate to contact me.
Message content prepared using ZAAP v4.0.0 from ZoneAlarm log file.
---------------------
[text was edited by author 2000-11-13 04:17:23] |
|
Ryokincaid
Dread Pirate Roberts
Premium,ExMod 2001-04
join:2000-08-28
Bellflower, CA
| Hey 2kmaro.....shouldn't you edit your IP address out of that report?
Just checking.... 
Ryo
--
"Put your hand on a hot stove for a minute, and it seems like an hour. Sit with a pretty girl for an hour, and it seems like a minute. THAT'S relativity." - Albert Einstein |
|
ATLJ
Go Braves
Premium
join:1999-12-24
Atlanta, GA
clubs:
 ·Comcast Formerly ..
| reply to jp
I use Zonelog Analyzer along with Zone Alarm and it generated the following e-mail..It has worked well so far...
To whomever it may concern,
It appears that my system has been under attack from a would-be intruder using your server.
Please consider investigating this incident, I have included all available information below:
Date: 11/6/2000
Time: 6:03:38 AM -5:00 GMT
Transport: UDP
From: 24.68.58.88 (24.68.58.88.on.wave.home.com) Port: 137
To: 24.88.XXX.XXX Port: 137
Firewall log entry:
type,date,time,source,destination,transport
FWIN,11/6/2000,6:03:38 AM -5:00 GMT,24.68.58.88:137,24.88.XXX.XXX:137,UDP
The above information supplied by Zone Lab's ZoneAlarm personal firewall.
Report generated by ZoneLog Analyser, http://zonelog.co.uk |
|
jp
Premium
join:2000-05-18
Fountain Hills, AZ
| I will have to check out Zonelog Analyzer. I have seen it referenced but have not looked at it yet. I am STILL waiting for DSL installation (I joined in May - what does that tell you  ) so I am not using ZA right now, just Black Ice. Based on recent threads in this forum, I think its high time to get ZA on regardless of connection type.
Thanks for the input.
John
--
Argue for your limitations, and sure enough,they are yours |
|
2kmaro
Think
Premium,ExMod 1 BC
join:2000-07-11
ColossalCave
clubs:
| reply to Ryokincaid
My IP is static and anyone with the skill to read an email message header from me or anyone who has a site I go to gets it anyhow. But, you are correct, it was careless of me to make it more available than necessary. Thanks.
NEW FORMAT: I just encountered a new situation this evening. I'd had a port scan/probe from IP registered to Casema.net (in the Netherlands). I sent off the usual form complaint. I got a response back that I needed to submit via their site, with link to the appropriate page. Very friendly treatment there as they provide an English translation of their Dutch text. The only unusual part of the request was the date/time of the log entry (yes, they also want a copy of the original entry in cut-and-paste form) in GMT. Had to do a little math there - adding back the -6 offset, which also changed the date for this particular entry. Just something else people can learn to expect.
[text was edited by author 2000-11-13 05:25:16] |
|
jaykaykay
4 Ever Young
Premium,MVM
join:2000-04-13
Scottsdale, AZ
 ·Speakeasy
| Hmmmmmmm. Had the same thing from the same IP and did as was asked within their site. However, I didn't even think of having to change the date/time from my log! They got it the way I saw it. I hope that I will recall your suggestion of making those changes the next time.
--
JKK)
Age is a very high price to pay for my maturity, so
if I can't stay young, I can at least stay immature! |
|
2kmaro
Think
Premium,ExMod 1 BC
join:2000-07-11
ColossalCave
clubs:
| They ask for date/time of incident in one place and then for cut-and-paste of log entries in another. I imagine they'll figure it out from ZA's log content. I would suspect that they ask for date/time separately for any log entries that might not contain that info - although I don't know of any like that.
So you got a reach out and touch somebody from the Netherlands also - - - verrrry interrrrrestink!;) |
|
jaykaykay
4 Ever Young
Premium,MVM
join:2000-04-13
Scottsdale, AZ
·Speakeasy
| Interrrrrestink is correct. Mine came in on 11-06. I got this reply in response to my message:
"Dear Sir/Madam,
195.96.xx.xxx is a machine of us, which frequently sens out an icmp packet (a
ping) to seen if there are people online in our domain.
I find it very strange that this machine sends you an icmp, but nevertheless
it is completely harmless.
sincerely yours,
Casema Abusedesk"
Although I felt like making a reply to them other than thanking them for their response, I didn't.
--
JKK)
Age is a very high price to pay for my maturity, so
if I can't stay young, I can at least stay immature!
[text was edited by author 2000-11-14 16:19:18] |
|
wheelert$93
T L C
ExMod 2002
join:2000-06-01
Lynden, ON
| Responses like that get me to diggin' and the next message I fire off is to THEIR provider. 
--
"Rome did not create a great empire by having meetings. They did it by killing all those who opposed them." |
|
jaykaykay
4 Ever Young
Premium,MVM
join:2000-04-13
Scottsdale, AZ
·Speakeasy
| Well, here's one for you and anyone else that would to do so. See who this message should be sent to, if you would. I have been to SpamCop, ARIN, APNIC, etc. I am at a loss. I sent it off to the one listed on SpamCop, but that one just struck me as weird.
FWIN,2000/11/14,14:16:24 -7:00 GMT,61.134.34.53:137,xx.xx.xx.xx:137,UDP
--
JKK)
Age is a very high price to pay for my maturity, so
if I can't stay young, I can at least stay immature! |
|
wheelert$93
T L C
ExMod 2002
join:2000-06-01
Lynden, ON
| UGH! I hate those! That one came from China. What I do with those is complain to the last hop in North America before it heads across the Pacific. It's my experience that there's no hope for addresses there. The servers are full of holes and it's a spammer's heaven. ACK!
--
"Rome did not create a great empire by having meetings. They did it by killing all those who opposed them." |
|
jaykaykay
4 Ever Young
Premium,MVM
join:2000-04-13
Scottsdale, AZ
·Speakeasy
| Thanks. That might be an answer to at least help me with my frustration when one of those shows up. There are so many of them, actually, between Korea, China, etc.
What do think of this one, out of curiosity? Luv picking good brains. 4.2.35.145
--
JKK)
Age is a very high price to pay for my maturity, so
if I can't stay young, I can at least stay immature! |
|
2kmaro
Think
Premium,ExMod 1 BC
join:2000-07-11
ColossalCave
clubs: | I ran 4.2.35.145 through SpamCop and got this:
User ID: burlma1-sshare1.gtei.net
ISP abuse address: abuse@genuity.net
--
The only virus on my computer is Windows. |
|
jaykaykay
4 Ever Young
Premium,MVM
join:2000-04-13
Scottsdale, AZ
·Speakeasy
| You know, so did I! Sorry, another brain drain. Don't know what my problem was. Had the message all addressed and ready to go, but something about it just didin't look right. Heaven only knows why now. I did however have an opportunity to follow wheelert's advice...and yours in another post, I believe I recall, to message the last North American IP for probes coming from China. I just had another one, and I sent my message to UU.NET/ALTER.NET, for all the world that will do.
--
JKK)
Age is a very high price to pay for my maturity, so
if I can't stay young, I can at least stay immature! |
|
