From cert@cert.orgThu Mar 14 01:54:24 1996 Date: Wed, 13 Mar 1996 14:54:31 -0500 From: CERT Coordination Center To: panzer@dhp.com Cc: cert@cert.org, admin@dhp.com Subject: CERT#6564 - Re: Attempted-entry-in.telnetd-by-unknown@dhp.com Hello Matt, Thanks for the update on the incident involving your site and the all.net site. We are glad to hear that you do not appear to have been compromised. While not every telnet probe turns out to be part of an attack. People are misdirected or make typos which cause them to attempt to access a host to which they are unauthorized to connect. However, we have seen enough incidents in which these probes have been part of a larger attack to believe that such probes are a concern. Whether a probe should just raise a sites level of awareness or something more drastic is a matter of opinion. We encourage sites being probed to make the "attacking" site aware of this activity. Again, in what manner/tone this should be done is a matter of opinion. Since you do not feel your site is compromised and do not feel anything further is required, we will consider this incident addressed and closed. If you do have any additional questions or comments please do not hesitate in contacting us. Regards, James Stevens Technical Coordinator _____________________________________________________________________________ CERT(sm) Coordination Center | Internet E-mail: cert@cert.org Software Engineering Institute | Telephone: 1-412-268-7090 24-hour hotline Carnegie Mellon University | Answered by CERT, 8:30-17:00 EDT (GMT-4) Pittsburgh, PA 15213-3890 | On call for emergencies, 24 hours/day. ----------------------------------------------------------------------------- (sm) CERT is a service mark of Carnegie Mellon University. ---------------------------------- Cut Here ---------------------------------- Date: Wed, 13 Mar 1996 03:58:20 -0500 (EST) From: "Matt 'Panzer Boy'" To: CERT Coordination Center cc: cert@cert.org, admin@dhp.com Subject: Re: CERT#6564 - Re: Attempted-entry-in.telnetd-by-unknown@dhp.com On Tue, 12 Mar 1996, CERT Coordination Center wrote: > It has been our experience that innocuous telnet probes often turn > out to be part of a larger attack; although that obviously is not > always the case. We would encourage you to check your systems for > any sign of compromise. We can provide you with additional > information on checking your systems if you are interested. If it is your opinion that telnet probes often turn out to be part of a larger attack, then perhaps you feel that telephone salespeople are more likely to be burglers probing the house to see if people are home. I feel that having automated mail on some ports to be completely insane. If the owner of the machine wishes to log all incoming, and deal with them on a case by case basis, I see no problem. However in this day, people are likely to believe unsecured email with "root@host.com" about how a user has done something illegal, when they shouldn't be. I've had naive friends of mine get in trouble and one even lost his job over things like this. Users on IRC tell someone else to "telnet all.net" because it has a MUD running on it. The user does it, that user's Admin gets email about a "Illegal Intrusion". If the Admin isn't completely clued in, the user will most likely loose their account. None of this is called for. We've already checked my system for breakins. We currently have none discovered. > If you feel that Mr. Cohen's concern is unwarranted we would encourage > you to make him aware of your reasoning. If you feel additional action > needs to be taken, we would encourage you to contact the service provider > of ALL.NET and make them aware of this activity. When I made him aware of my reasoning he sent mail into CERT. My followup to that message went to CERT also, along with his provider. If you require anything information on this, feel free to contact me. I feel that this incident is closed on my end. -Matt (panzer@dhp.com) DI-1-9026 "That which can never be enforced should not be prohibited." ---------------------------------- Cut Here ----------------------------------