[Dshield] ISP where port scans are ok

KeithTarrant KeithTarrant at spamcop.net
Tue Oct 1 00:53:46 GMT 2002


You'd also think they'd realize that port 80 scans over and over and over
indicate their customer's machine is probably compromised by a virus or
worm and that most of the relevant viri and worms install backdoors, and
that their service has been and is being used to jeapordize their
customer's security, and that as a common carrier, once they have
knowledge that their customer has a problem involving their service, they
have a legal responsiblity to relay that information so the customer can
limit its losses (of course, in reality, the law is whatever the judge
decides on the day (s)he hands down her verdict).

Also note the spelling.  And you know any sizable company that permitted
scanning would have a form letter for this.  And you'd think a large
company could get the spelling in its form letters correct.

It sounds like a demoralized lazy worker acting without proper
supervision.  Maybe you want to send that email to their CEO.

And of course scanning isn't necessarily illegal in most places, usually
it is a violation of Terms of Service and that is why ISPs act.

Why not try this, report that their customer's machine has been
compromised and formally request that they pass the information on in
order to limit their customers potential losses AND their own liabilty for
those losses

======== prototype port 80 letter ========
Subject: Please warn your customer it has been hacked 123.123.123.123

This is a friendly warning that the computer connected to your
service at the IP address above appears to either be under the
control of a hacker with a port 80 probe tool or infected with
a Code Red variant.

Please let the person or group responsible for that computer know,
so that they can steps to minimize the damage done by the security
breach, limit the spread of the contagion, and limit your own company's
legal liability as a common carrier knowingly permitting a customer to
suffer continuing damage from a security breach you knew about.

All passwords typed into, and documents stored on,
the computer may now be accessible to hackers.

The probe wasn't successful, so no apology is necessary.  Thanks.

Please consider investigating this incident.

I have included all the information I have below.

Good luck.

- Keith

(Many ISPs are now suspending clients who have demonstrated a
repeated inability or unwillingness to secure their computers.)

Any of these 3 free virus scanners detect existing infections:
http://www.grisoft.com/html/us_index.htm
http://housecall.antivirus.com/pc_housecall/
http://www.pandasoftware.com/activescan/

Security guides and tips are available here:
http://www.cert.org/homeusers/

--- append firewall or IDS log extract here ---
=============

You can even mention things like keyboard loggers and backdoors, and maybe
check with a lawyer to put in some scary sounding legalese.

Maybe GCI will still ignore the warning, if you get a junior abuse analyst
they may not even read the letter, but if their customer suffers a loss or
further losses, and their customer ever becomes aware that you sent GCI a
warning, their customer will have a good chance of getting a court to hold
GCI liable.  (CGI won't know how often you purge your email logs.)  And
maybe one day your letter will be drawn to the attention of a manager and
their policy will change.

I've had pretty good luck in seeing port 80 probes end after sending this
letter.  And I haven't gotten any silly responses back either ("skans
ain't illgal hear" LOL) .

Keith
(not a lawyer but used to work in insurance 20 years ago, although not in
Alaska, but how different can Alaskan law be)

----- Original Message -----
From: "Ellen Clary" <ellen at dgi.com>
To: <list at dshield.org>
Sent: Monday, September 30, 2002 5:01 PM
Subject: [Dshield] ISP where port scans are ok


>
> This suprised me.  So may ISPs have policies against port scanning.
> Never mind that this system has likely been compromised.
> I'm surprised that they don't care.
>
> A cable provider no less.  I guess I should consider it a plus that I
got a
> personal reply.
>
> Ellen Clary
> Senior System Administrator
> Dynamic Graphics
>
> --- Forwarded mail from ... at gci.com>
>
> To: "'ellen at dgi.com'" <ellen at dgi.com>
> Subject: RE: (Fwd) Port Scan from 24.237.5.104 Sep 28
> Date: Mon, 30 Sep 2002 11:26:16 -0800
>
> Thank you for contacting GCI ITS,
>
> Port scanning is not illigal on our network, if the issue becomes
> more than just this, please let us know.
> Thank You
>
>
>
> -----Original Message-----
>
> From: ellen at dgi.com [mailto:ellen at dgi.com]
> Sent: Monday, September 30, 2002 8:46 AM
> To: support at gci.net
> Subject: (Fwd) Port Scan from 24.237.5.104 Sep 28
>
>
> Hello,
>
> We received this port scan from 24.237.5.104
>
> Date of probes: Sep 28, 2002
>
> Pacific Timezone
>
> Time            Source IP       Destination IP  Port
>
> 104-5-237-24-cable.anchorageak.net.
>
> 09:58:02 24.237.5.104 65.211.242.1 80  TCP
> 09:58:02 24.237.5.104 65.211.242.2 80  TCP
> 09:58:05 24.237.5.104 65.211.242.2 80  TCP
> 09:58:05 24.237.5.104 65.211.242.3 80  TCP
> 09:58:05 24.237.5.104 65.211.242.4 80  TCP
> 09:58:05 24.237.5.104 65.211.242.5 80  TCP
> 09:58:05 24.237.5.104 65.211.242.6 80  TCP
> 09:58:05 24.237.5.104 65.211.242.7 80  TCP
> 09:58:05 24.237.5.104 65.211.242.8 80  TCP
> 09:58:05 24.237.5.104 65.211.242.9 80  TCP
> 09:58:05 24.237.5.104 65.211.242.10 80  TCP
> 09:58:05 24.237.5.104 65.211.242.11 80  TCP
> 09:58:05 24.237.5.104 65.211.242.12 80  TCP
> 09:58:06 24.237.5.104 65.211.242.13 80  TCP
> 09:58:06 24.237.5.104 65.211.242.14 80  TCP
> 09:58:06 24.237.5.104 65.211.242.15 80  TCP
> 09:58:06 24.237.5.104 65.211.242.16 80  TCP
> 09:58:06 24.237.5.104 65.211.242.17 80  TCP
> 09:58:06 24.237.5.104 65.211.242.18 80  TCP
> 09:58:06 24.237.5.104 65.211.242.19 80  TCP
> 09:58:06 24.237.5.104 65.211.242.20 80  TCP
> 09:58:06 24.237.5.104 65.211.242.21 80  TCP
> 09:58:06 24.237.5.104 65.211.242.22 80  TCP
> 09:58:06 24.237.5.104 65.211.242.23 80  TCP
> 09:58:06 24.237.5.104 65.211.242.24 80  TCP
> 09:58:06 24.237.5.104 65.211.242.25 80  TCP
> 09:58:06 24.237.5.104 65.211.242.26 80  TCP
> 09:58:06 24.237.5.104 65.211.242.27 80  TCP
> 09:58:06 24.237.5.104 65.211.242.28 80  TCP
> 09:58:06 24.237.5.104 65.211.242.29 80  TCP
> 09:58:06 24.237.5.104 65.211.242.30 80  TCP
> 09:58:06 24.237.5.104 65.211.242.32 80  TCP
> 09:58:06 24.237.5.104 65.211.242.31 80  TCP
> 09:58:06 24.237.5.104 65.211.242.33 80  TCP
> 09:58:06 24.237.5.104 65.211.242.34 80  TCP
> 09:58:06 24.237.5.104 65.211.242.35 80  TCP
> 09:58:06 24.237.5.104 65.211.242.36 80  TCP
> 09:58:06 24.237.5.104 65.211.242.37 80  TCP
> 09:58:06 24.237.5.104 65.211.242.38 80  TCP
> 09:58:06 24.237.5.104 65.211.242.39 80  TCP
> 09:58:06 24.237.5.104 65.211.242.40 80  TCP
> 09:58:06 24.237.5.104 65.211.242.41 80  TCP
> 09:58:06 24.237.5.104 65.211.242.42 80  TCP
> 09:58:06 24.237.5.104 65.211.242.43 80  TCP
> 09:58:06 24.237.5.104 65.211.242.44 80  TCP
> 09:58:06 24.237.5.104 65.211.242.45 80  TCP
> 09:58:06 24.237.5.104 65.211.242.46 80  TCP
> 09:58:06 24.237.5.104 65.211.242.47 80  TCP
> 09:58:06 24.237.5.104 65.211.242.48 80  TCP
> 09:58:06 24.237.5.104 65.211.242.49 80  TCP
> 09:58:06 24.237.5.104 65.211.242.50 80  TCP
> 09:58:06 24.237.5.104 65.211.242.51 80  TCP
> 09:58:06 24.237.5.104 65.211.242.52 80  TCP
> 09:58:06 24.237.5.104 65.211.242.53 80  TCP
> 09:58:08 24.237.5.104 65.211.242.3 80  TCP
> 09:58:08 24.237.5.104 65.211.242.6 80  TCP
> 09:58:08 24.237.5.104 65.211.242.5 80  TCP
> 09:58:08 24.237.5.104 65.211.242.7 80  TCP
> 09:58:08 24.237.5.104 65.211.242.8 80  TCP
> 09:58:08 24.237.5.104 65.211.242.4 80  TCP
> 09:58:08 24.237.5.104 65.211.242.10 80  TCP
> 09:58:08 24.237.5.104 65.211.242.14 80  TCP
> 09:58:08 24.237.5.104 65.211.242.11 80  TCP
> 09:58:08 24.237.5.104 65.211.242.12 80  TCP
> 09:58:08 24.237.5.104 65.211.242.15 80  TCP
> 09:58:08 24.237.5.104 65.211.242.13 80  TCP
> 09:58:09 24.237.5.104 65.211.242.18 80  TCP
> 09:58:09 24.237.5.104 65.211.242.19 80  TCP
> 09:58:09 24.237.5.104 65.211.242.16 80  TCP
> 09:58:09 24.237.5.104 65.211.242.20 80  TCP
> 09:58:09 24.237.5.104 65.211.242.17 80  TCP
> 09:58:09 24.237.5.104 65.211.242.21 80  TCP
> 09:58:09 24.237.5.104 65.211.242.26 80  TCP
> 09:58:09 24.237.5.104 65.211.242.23 80  TCP
> 09:58:09 24.237.5.104 65.211.242.24 80  TCP
> 09:58:09 24.237.5.104 65.211.242.28 80  TCP
> 09:58:09 24.237.5.104 65.211.242.27 80  TCP
> 09:58:09 24.237.5.104 65.211.242.25 80  TCP
> 09:58:09 24.237.5.104 65.211.242.32 80  TCP
> 09:58:09 24.237.5.104 65.211.242.30 80  TCP
> 09:58:09 24.237.5.104 65.211.242.34 80  TCP
> 09:58:09 24.237.5.104 65.211.242.31 80  TCP
> 09:58:09 24.237.5.104 65.211.242.33 80  TCP
> 09:58:09 24.237.5.104 65.211.242.39 80  TCP
> 09:58:09 24.237.5.104 65.211.242.38 80  TCP
> 09:58:09 24.237.5.104 65.211.242.40 80  TCP
> 09:58:09 24.237.5.104 65.211.242.41 80  TCP
> 09:58:09 24.237.5.104 65.211.242.36 80  TCP
> 09:58:09 24.237.5.104 65.211.242.37 80  TCP
> 09:58:09 24.237.5.104 65.211.242.43 80  TCP
> 09:58:09 24.237.5.104 65.211.242.46 80  TCP
> 09:58:09 24.237.5.104 65.211.242.47 80  TCP
> 09:58:09 24.237.5.104 65.211.242.44 80  TCP
> 09:58:09 24.237.5.104 65.211.242.45 80  TCP
> 09:58:09 24.237.5.104 65.211.242.50 80  TCP
> 09:58:09 24.237.5.104 65.211.242.51 80  TCP
> 09:58:09 24.237.5.104 65.211.242.52 80  TCP
> 09:58:09 24.237.5.104 65.211.242.53 80  TCP
> 09:58:10 24.237.5.104 65.211.242.54 80  TCP
> 09:58:10 24.237.5.104 65.211.242.55 80  TCP
> 09:58:10 24.237.5.104 65.211.242.56 80  TCP
> 09:58:10 24.237.5.104 65.211.242.57 80  TCP
> 09:58:10 24.237.5.104 65.211.242.58 80  TCP
> 09:58:10 24.237.5.104 65.211.242.59 80  TCP
> 09:58:10 24.237.5.104 65.211.242.60 80  TCP
> 09:58:10 24.237.5.104 65.211.242.61 80  TCP
> 09:58:10 24.237.5.104 65.211.242.62 80  TCP
> 09:58:10 24.237.5.104 65.211.242.63 80  TCP
> 09:58:13 24.237.5.104 65.211.242.54 80  TCP
> 09:58:13 24.237.5.104 65.211.242.55 80  TCP
> 09:58:13 24.237.5.104 65.211.242.56 80  TCP
> 09:58:13 24.237.5.104 65.211.242.57 80  TCP
> 09:58:13 24.237.5.104 65.211.242.63 80  TCP
> 09:58:13 24.237.5.104 65.211.242.59 80  TCP
> 09:58:13 24.237.5.104 65.211.242.61 80  TCP
> 09:58:13 24.237.5.104 65.211.242.62 80  TCP
> 09:58:13 24.237.5.104 65.211.242.60 80  TCP
>
>
>
>





More information about the list mailing list