[Dshield] Re: How to ask someone's ISP to investigate

Chew, Freeland (Roanoke) FChew at ecpi.edu
Mon Jul 16 15:32:33 GMT 2001

Here is an example of what I typically send out (in addition to my dshield

The inclusion of a history (taken from a mysql database) and the kinds of
trojans that use port so-and-so (also mqsql based) seems to stress the point
that this stuff is being documented.  ISP's seem to more responsive lately
-- maybe they smell lawyers -- and often respond to me.  With the exception
of a couple of ip addresses where the whois is hopelessly out of date the
machine in question is either cleaned up or scans someone elses network.

These reports are generated automatically with some perl scripts, although I
have to manually use whois to get an email address.

Freeland Chew

-----Original Message-----
From: IDS_Monitor at ist.roan.ecpi.edu
[mailto:IDS_Monitor at ist.roan.ecpi.edu]
Sent: Monday, July 16, 2001 3:32 AM
To: fchew at ecpi.edu
Subject: Network Abuse - Firewall Report

Ladies and/or Gentlemen,

Below you will find the relevant portion portion of my firewall log
that indicates a computer under your control is port scanning our network.

The probe seeks computers that do not exist.

It is possible that the computer on your network has been compromised.

Please look into this situation and take appropriate measures.

Additional information from our records may also be appended to the
bottom of this message.

Freeland Chew
ECPI Technical College
Roanoke, Virginia USA
fchew at ecpi.edu

The format of the data provided is as follows:

Source IP Address,	Source Port,	Target IP Address,	Target Port,
Protocol,	Year-Month-Day, Time (GMT-5:00),	Reverse Name Lookup
(if configured)	34757	80	TCP	2001-07-16 03:17:44	34757	80	TCP	2001-07-16 03:23:30

Full probe history of follows:	34757	80	2001-07-16	03:23:30	34757	80	2001-07-16	03:17:44	37160	80	2001-07-15	23:05:23	37160	80	2001-07-15	22:59:38	35858	80	2001-07-15	22:35:54	35858	80	2001-07-15	22:30:53

Known Trojans using port 80 are:

711 trojan (Seven Eleven), AckCmd, Back End, Back Orifice 2000 Plug-Ins,
Cafeini, CGI Backdoor, Executor, God Message, God Message Creator, Hooker,
IISworm, MTX, NCX, Reverse WWW Tunnel Backdoor, RingZero, Seeker, WAN
Remote, Web Server CT, WebDownloader, 

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.


More information about the list mailing list