[Dshield] Contacting ISP's to report hack attempts - any luck ?
Johannes B. Ullrich
jullrich at sans.org
Wed Jan 14 17:41:35 GMT 2004
> Jan 13 21:54:56 leeqube2 portsentry: attackalert: Host: 188.8.131.52
> is already blocked. Ignoring
> So is this not enough ?
maybe add a 'translation' of your log. There are hundreds of different
formats. I should post the template again that we are using for our
messages. But ask Wayne, our cvtwin maintainer, how hard it can be to
make sense of some of these logs. Portsentry is not bad (IMHO). But
still, think about the poor abuse desk guy and give them some hints ;-)
Target IP Address: 184.108.40.206
Source IP Address: 220.127.116.11
Time: Jan 13th 21:54:56 (UTC)
one note about time: spell out the month (something I have to fix in our
notices I think). Different countries use different conventions...
e.g. 01/02/03 could be: Jan 2nd 2003, Feb. 3rd 2001, Feb. 1st. 2003
I think the three letter English abbreviation for the month will work
And one more: Keep it brief. A couple lines of logs (10 maybe.. not
100), and no whois info or things that are 'obvious'. The strategic use
of the words 'Please' and 'Thank you' can help as well.
> As your note that they might fix them and not tell me. That yields a
> quandary - I almost never see the same problem info whether I report them or
> not (?). Maybe others report them ?
> Thanks so much the info.
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
CTO SANS Internet Storm Center http://isc.sans.org
phone: (617) 837 2807 jullrich at sans.org
contact details: http://johannes.homepc.org/contact.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20040114/64cc0f1f/attachment.bin
More information about the list