[Dshield] Contacting ISP's to report hack attempts - any luck ?

Johannes B. Ullrich jullrich at sans.org
Wed Jan 14 17:41:35 GMT 2004


> Jan 13 21:54:56 leeqube2 portsentry[1068]: attackalert: Host: 64.222.46.166
> is already blocked. Ignoring
> 
> 
> So is this not enough ? 

maybe add a 'translation' of your log. There are hundreds of different
formats. I should post the template again that we are using for our
messages. But ask Wayne, our cvtwin maintainer, how hard it can be to
make sense of some of these logs. Portsentry is not bad (IMHO). But
still, think about the poor abuse desk guy and give them some hints ;-)

(e.g. say 
Target IP Address: 1.2.3.4
Source IP Address: 64.222.46.166
Targetport: 80
Time: Jan 13th 21:54:56 (UTC)

one note about time: spell out the month (something I have to fix in our
notices I think). Different countries use different conventions...

e.g. 01/02/03 could be: Jan 2nd 2003, Feb. 3rd 2001, Feb. 1st. 2003

I think the three letter English abbreviation for the month will work
well.

And one more: Keep it brief. A couple lines of logs (10 maybe.. not
100), and no whois info or things that are 'obvious'. The strategic use
of the words 'Please' and 'Thank you' can help as well.




       

> 
> As your note that they might fix them and not tell me. That yields a
> quandary - I almost never see the same problem info whether I report them or
> not (?). Maybe others report them ?
> 
> Thanks so much the info.
> 
> Chuck
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
-- 
CTO SANS Internet Storm Center               http://isc.sans.org
phone: (617) 837 2807                          jullrich at sans.org 

contact details: http://johannes.homepc.org/contact.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20040114/64cc0f1f/attachment.bin


More information about the list mailing list