Re: [TCLUG:19184] compromised host netiquette

[Mike Hicks <hick0088@tc.umn.edu>]

On Mon, Jun 26, 2000 at 11:39:43AM -0500, Carl Wilhelm Soderstrom wrote:
> 	I seem to be getting portscans of my network from
> 166.49.72.158; which, when I nmap, shows up as
> 'live-split.wtn.rbn.com'. this seems to be one of Real Networks'
> servers. 

I assume you're watching it open several ports that are running
interesting services?  You're sure it wasn't activity due to one of your
users playing a video stream?  I don't want to say that you're wrong or
anything, but it's always a good idea to try and rule out the simple
possibilities first..

> what's the proper netiquette for alerting some host that they might
> have been compromised?

Well, many places have `abuse@...' addresses for that sort of
thing.  Otherwise, you can always try to look up the networking contact
with whois (or nslookup?).  Of course, many organizations don't monitor
that account very frequently..

At any rate, just try to give as much relevant information as
possible.  Be sure to include IP addresses as well as hostnames (DNS
entries can be spoofed in certain cases).  If you give log entries, make
sure that you give the timezone you are in.  (It's also a good idea to
keep your clocks in sync -- makes looking up log entries a lot easier).

Of course, if a system actually gets compromised, things get way more
interesting..

-- 
 _  _  _  _ _  ___    _ _  _  ___ _ _  __   Kleptomania: take 
/ \/ \(_)| ' // ._\  / - \(_)/ ./| ' /(__   something for it. 
\_||_/|_||_|_\\___/  \_-_/|_|\__\|_|_\ __)                             
[ Mike Hicks | http://umn.edu/~hick0088/ | mailto:hick0088@tc.umn.edu ]

PGP signature