[Dshield] How to ask someone's ISP to investigate

John Hardin johnh at aproposretail.com
Thu Jul 12 23:11:38 GMT 2001


Ray Seals wrote:
> 
> Does anyone have a form e-mail that they could share with the rest of us,
> which is used to file a complaint with an offending ISP, etc?  I've read the
> Contacting Host Owners paper on incidents.org but it doesn't really cover
> what the complaint should look like.

Here's my form letter. I (used to, before FightBack) would edit my log
down to a dozen or so lines, append this, and edit the bit relevent to
the actual attack: e.g. where the template mentions RPC - the most
common attack - I might edit it to Wingate or LPR or whatever, and if
the attack isn't from a privileged port I'd delete that paragraph.

--------------------BEGIN-------------------------

This is not a complaint about spam. This is a report of a
possible intrusion attempt against our network.

I do not appreciate being scanned for RPC servers,
and I consider it a prelude to an attack.

Please notify the administrator of the system whose IP address
appears above that it is possible they have been cracked and are
now being used without their knowledge to scan for other
vulnerable systems. 

The fact that this scan originates from a privileged port (source
port number less than 1024) strongly indicates that the system
has been cracked, or is being administered by a rogue.

All log times are synchronized U.S. Pacific time zone (with
Daylight Savings Time adjustment as appropriate). Full system
logs are available to you upon request. This message includes
only an excerpt from those logs.

The following pages may be of interest:

http://www.sans.org/y2k/lion.htm
http://www.cert.org/current/current_activity.html
http://www.cert.org/advisories/CA-2000-17.html
http://www.cert.org/advisories/CA-2000-03.html
http://www.cert.org/advisories/CA-99-14-bind.html
http://www.cert.org/advisories/CA-98.05.bind_problems.html
http://www.cert.org/advisories/CA-99-16-sadmind.html
http://www.cert.org/advisories/CA-99-12-amd.html
http://www.cert.org/advisories/CA-99-08-cmsd.html
http://www.cert.org/advisories/CA-99-05-statd-automountd.html
http://www.cert.org/advisories/CA-98.12.mountd.html
http://www.cert.org/advisories/CA-98.11.tooltalk.html
http://www.cert.org/vul_notes/VN-98.03.WinGate.html
http://www.immunix.org/

All traffic from the scanning system is being blocked. If the
scanning system happens to be your email gateway you will not be
able to send email to the aproposretail.com domain. In that case
you may contact me at <jhardin at wolfenet.com>, which is my personal
email address.

Thank you.

-----------------------END-----------------------

--
John Hardin                                   <johnh at aproposretail.com>
Internal Systems Administrator                    voice: (425) 672-1304
Apropos Retail Management Systems, Inc.             fax: (425) 672-0192
-----------------------------------------------------------------------
 6 days until Forum 2001




More information about the list mailing list