From cert@cert.orgThu Mar 14 01:53:59 1996 Date: Tue, 12 Mar 1996 14:36:27 EST From: CERT Coordination Center To: panzer@dhp.com Cc: cert@cert.org, admin@dhp.com Subject: CERT#6564 - Re: Attempted-entry-in.telnetd-by-unknown@dhp.com (fwd) Hello Matt, This message concerns the incident report made by Fred Cohen about a possible attempted compromise at his site ALL.NET from the host DHP.COM. It has been our experience that innocuous telnet probes often turn out to be part of a larger attack; although that obviously is not always the case. We would encourage you to check your systems for any sign of compromise. We can provide you with additional information on checking your systems if you are interested. If you feel that Mr. Cohen's concern is unwarranted we would encourage you to make him aware of your reasoning. If you feel additional action needs to be taken, we would encourage you to contact the service provider of ALL.NET and make them aware of this activity. We have assigned an internal reference number to this incident (CERT#6564) and it is included in the subject line of this e-mail message. This unique, random number will help us track correspondence and coordinate our activities. We would appreciate your including it in the subject line of future correspondence about this incident. If you have any questions or comments please do not hesitate in contacting us. Regards, James Stevens Technical Coordinator _____________________________________________________________________________ CERT(sm) Coordination Center | Internet E-mail: cert@cert.org Software Engineering Institute | Telephone: 1-412-268-7090 24-hour hotline Carnegie Mellon University | Answered by CERT, 8:30-17:00 EDT (GMT-4) Pittsburgh, PA 15213-3890 | On call for emergencies, 24 hours/day. ----------------------------------------------------------------------------- (sm) CERT is a service mark of Carnegie Mellon University. ---------------------------------- Cut Here ---------------------------------- From: "Matt 'Panzer Boy'" To: cert@cert.org, postmaster@psi.net cc: postmaster@all.net, admin@dhp.com Subject: Re: Attempted-entry-in.telnetd-by-unknown@dhp.com (fwd) This administrator at all.net (I assume the whois information is true) is making unwarrented threats and accusations. These threats and warnings coming from a site that offers to do port scans on any host via a web interface is quite absurd. References: "http://all.net/tests/testsuite.html" For a description of what they do "http://all.net/tests/one-time-test.html" To actually try it out -Matt (panzer@dhp.com) DI-1-9026 ---------- Forwarded message ---------- Date: Sat, 9 Mar 1996 16:16:33 -0500 (EST) From: Fred Cohen To: cert@cert.org Cc: panzer@dhp.com Subject: Re: Attempted-entry-in.telnetd-by-unknown@dhp.com (fwd) The systems administrator at the following site is apparently a party to the attmpted entry to our site reported below. What is the procedure for contacting federal authorities to investigate attempted breakins to Federal Interest Computers? Forwarded message: > From admin@dhp.com Sat Mar 9 16:11:03 1996 > Date: Sat, 9 Mar 1996 16:11:57 -0500 (EST) > From: DHP Administrator > To: root > Subject: Re: Attempted-entry-in.telnetd-by-unknown@dhp.com > In-Reply-To: <9603090948.AA25300@all.net> > Message-Id: > Mime-Version: 1.0 > Content-Type: TEXT/PLAIN; charset=US-ASCII > > On Sat, 9 Mar 1996, root wrote: > > A user at your site has just attempted to telnet into our site without > > proper authorization. We consider this inappropriate behavior and would > > like an explanation of this action as soon as possible. > > > > This message is generated automatically at the time of the attempted > > entry and is sent to our administrators and the postmaster at the > > machine making the attempt. We have included any information provided > > by your ident daemon (if in use) on the subject line of this message. > > We also do a reverse finger for future reference. > > > > Fred Cohen - fc@all.net - tel:US+216-686-0090 > > A user at your site has just attempted to finger into our site without > proper authorization. We consider this inappropriate behavior and would > like an explanation of this action as soon as possible. > > Please refrain from such a waste of bandwidth in the future. Setting > alarms off with a telnet is both stupid, and most likely to get people in > trouble for no proper reason. > > -Matt (panzer@dhp.com) > > > > > > -> See: Info-Sec Heaven at URL http://all.net/ Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236 ---------------------------------- Cut Here ----------------------------------