[Dshield] [isn@c4i.org: [ISN] Early Bird: A realtime Code Red attempt reporting utility.]

Bruce Lilly blilly at erols.com
Thu Aug 9 14:59:56 GMT 2001


> Date: Thu, 9 Aug 2001 14:24:06 +0200
> From: Patrick Oonk <patrick at pine.nl>
> To: dshield at dshield.org
> Subject: [Dshield] [isn at c4i.org: [ISN] Early Bird: A realtime Code Red attempt reporting utility.]
> Reply-To: dshield at dshield.org
> 
> ----- Forwarded message from InfoSec News <isn at c4i.org> -----
> From: InfoSec News <isn at c4i.org>
> 
> [Pinched from another list...  :)   - WK]
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> 
> TITLE   : EARLY BIRD -- A realtime Code Red attempt reporting utility
> AUTHOR  : Jay D. Dyson <jdyson at treachery.net>
> VERSION : 1.0 (Released 08/09/2001)
[...] 
> The text of the message sent out with each exploit attempt is thus:
> 
> -----
> 
> You are receiving this notice since your domain is listed as the
> primary contact in the American Registry of Internet Numbers (ARIN).
> 
> The following Code Red intrusion attempt was mad against our system.
> 
>         ADDRESS: (IP address of offending system)
>         ATTEMPT: (Full URI requested)
> 
> Please advise your user that their system has been compromised and is
> being actively utilized as an attack launchpoint against other
> systems.
> 
> Thank you for your prompt attention to this matter.
> 
> -----
> 
> With this information alone, the recipient admin will be able to not
> only identify the offending system on their network, but will have
> sufficient evidence in the quoted URI that an exploit attempt was
> indeed made.
[...]

Nope. Insufficient information. In the case of DHCP, you need to provide
an accurate time stamp as well, or it may be impossible to identify the
machine responsible (IP address is insufficient).  P.S. "mad" should be
"made".  P.P.S. ARIN only works for some domains; it may be necessary
to consult RIPE, APNIC, JPNIC, KRNIC, etc.




More information about the list mailing list