At a company I worked at three years ago I called the offending company's ISP and informed them of the traffic and the load it was trying to use on our ISDN line. While it was a minor situation, the ISP handled it as THEIR responsibility to find out why one of THEIR accounts / THEIR IP Addresses was generating "hacker" traffic. In a similar instance, I used to txt dump my NT logs and e-mail them to an administrator for my home ISP for every possible hack attack. There was a group of three users on my ISP's network that would continually try to log onto my machine at night for 2 hour time blocks using usernames that were obvious break-in attempts. My home ISPs position was that they would not punish a user biased on my log reports (because of possible forgery), however, they would begin logging that user's activity biased on my NT logs and from there they would determine if that user was abusing the ISPs "acceptable use policy." All four users at that ISP had their accounts removed and one of them was changed with computer B&E by a local company that they were stealing secrets/documents from (details were cloudy). They were caught because of my original NT logs and the ISP thanked me for monitoring my home dial-up connection. To this day I use the same tactics against computers with Code Red and nimda. I e-mail the company admin when possible and I cc the admin of their ISP if I can figure it out. Whether it's SAPM, viruses or break-ins...I'm all for stopping it in it's tracks. If an ISP pulls the plug on an offending company's Internet connection because they didn't fix things within a reasonable time...so be it. I don't think if you have issues with your server you should have to fix it within 5 minutes, but I do think that there should be a time within reason that you can fix it, or pull it off the Internet. Regards, Justin M. Silles -----Original Message----- From: Boyan Krosnov [mailto:bkrosnovat_private] Sent: Monday, December 03, 2001 7:49 PM To: Pavel Lozhkin; incidentsat_private Subject: RE: Network 195.70.202.0/24 is hacker-freindly I had an abuse report case today in which the party responsible for the addresses basicaly said: "Viruses are not network abuse" and " People who have registered the addresses are not the ones who the abuse report should be sent to." And they were, of course, given a course on how abuse reporting works(and has worked in mass histeria times like Code Red, etc.), and why they should participate in it. Not that it changed their mind, but we tried, really. The last exchange was like: me: "If you don't take responsibility for actions made from your addresses, we are seriously considering the posibility of stopping any exchage of traffic with your addresses." them: "NO PROVIDER ON THIS WORLD takes this responsibility. You are wrong " and bla,bla,bla and "There is a recomendation of the European union that every provider should provide anonymous access to their network, so we don't have to care who is behind every single account." a colegue: "If you really think that "phone companies are not responsible for conversations over their networks" (an actual quote of you), would you please give me your phone number so that I can call you every night between 2 and 5. But don't contact the phone company about that, because they "are not responsible", so there is no need for them to do anything." What do you all-on-this-list think about it? Are you willing to communicate with address blocks that have a report-handling policy like this one? Do you know of a blacklist for documented networks with bad network abuse handling policies aka. hacker friendly. BR, CCNP Boyan Krosnov Network Administrator Lirex Net phone: +359-2-91815 > -----Original Message----- > From: Pavel Lozhkin [mailto:pavelat_private] > Sent: Monday, December 03, 2001 11:01 PM > To: incidentsat_private > Subject: Network 195.70.202.0/24 is hacker-freindly > > > Hello ! > > I got attempt to infect my server by Nimda virus from 195.70.202.138 > The administrator of the network (it is San Peterburg state > University's > net) wrote me on my complain that he does not want to clean > his infected > machines and that he does not have any contract with my firm > so that i'm > unable to ask him to clean these computers from where i got these > attempts and unable to ask him anything. > And he will scan me in any time if he wants, and i should not > ask him to > stop that. > > So that i consider the net 195.70.202.0/24 as uncontrolled > one and block > the network by my firewall and recommend all peoples do the same thing > > Pavel > > > -------------------------------------------------------------- > -------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Dec 04 2001 - 12:45:06 PST