Abuse: Difference between revisions
No edit summary |
|||
Line 67: | Line 67: | ||
Cc: abuse@attacker.example.com | Cc: abuse@attacker.example.com | ||
Dear sirs, | Dear sirs, | ||
I've recently been attacked by a which I believe to be on your network. I believe the attacker | I've recently been attacked by a host which I believe to be on your network. I believe the attacker | ||
has remotely compromised my mailman application. | has remotely compromised my mailman application. | ||
The machine in question is remote.attacker.example.com. as you can see by the log below. | The machine in question is remote.attacker.example.com. as you can see by the log below. |
Revision as of 15:00, 26 April 2006
Following the proper process to report Internet abuse is very important if you want to be taken seriously. As you're hopefully aware, abuse can be rampant on the internet, as it is often out of the reach of local authorities. In this text we will try to document the steps you would take to report an abuse, from a spam to a common DoS.
Spam Example
In your email client, you will want to find the "View Headers" option in your email client.
Return-Path: <theloniuaspa@checkpoint.com> X-Original-To: yashy@yashy.com Delivered-To: yashy@yashy.com Received: from dmccapital.com (142.12.233.220.exetel.com.au [220.233.12.142]) by proksie.yashy.com (Postfix) with SMTP id C76635C50 for <yashy@yashy.com>; Mon, 27 Feb 2006 19:24:12 -0500 (EST) Message-ID: <000001c63bfd$634e5340$5f60a8c0@vwb5> Reply-To: "Thelonius Span" <theloniuaspa@checkpoint.com> From: "Thelonius Span" <theloniuaspa@checkpoint.com> To: yashy@yashy.com Subject: fi ll news Date: Mon, 27 Feb 2006 19:24:50 -0500 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0001_01C63BD3.7A784B40" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
The line you will want to pay attention to in determining the culprit is the last "Received:" header. In this case there is only one.
Received: from dmccapital.com (142.12.233.220.exetel.com.au [220.233.12.142])
Ignore the DNS as it could be spoofed, it is the IP in brackets that you really want to investigate further.
$ host 220.233.12.142 142.12.233.220.in-addr.arpa domain name pointer 142.12.233.220.exetel.com.au.
so the DNS was correct. You can find the upstream provider by using traceroute, it is usually the host before the last one. You will want to email abuse@ of the responsible domain. In this case, that domain is exetel.com.au, although I will also email abuse@com.au as I can't be assured that the spammer doesn't own the exetel subdomain.
So now I've done my homework, I forward the spam to both abuse@com.au and abuse@exetel.com.au making sure that the email headers are included. Don't expect a personalized reply, as you can imagine, system administrators are often really busy handling such complaints.
DoS example
If someone is attacking you via DoS, or any any malicious activity worth reporting, you will need three items.
1. Logs with the IP address of the attacker You will want to log as much as you can with a sniffer. You want also want to check out your open ports, as often an attacker will setup an IRC session. Here is the lsof log example showing exactly that:
# lsof | grep irc portmap 73690 mailman 9u IPv4 0xd5cc6540 0t0 TCP home.machine.com:4662->remote.attacker.example.com:ircd (ESTABLISHED) portmap 73690 mailman 10u IPv4 0xd5d91400 0t0 TCP home.machine.com:4663->remote.attacker.example.com:ircd (ESTABLISHED)
2. Email address of the responsible abuse department. Luckily for us, abuse@ is a standard email username used for reporting abuses, so now we just have to determine the proper domain name. This will most often be the domain name of the 2nd last "hop" in a traceroute. In this case, we will remove the hostname (remote) and contact both the subdomain (attacker) owner in the example, but also the domain abuse department. abuse@attacker.example.com and abuse@example.com is who we will contact.
3. The email. This is the most important part if you want your email to be acknowledged, read and reacted to. A few hints: 1. Gather as much evidence as appropriate. You don't want to email a 20M tcpdump log unless it is asked for, but you do want to include at least a snippit of logs showing the IP of the attacker. 2.Look professional. Do all the research you can beforehand. If any part of the this wiki page doesn't make sense to you, follow the links so you fully understand the text. Follow proper email etiquette. You will want all of your research summarized in a single email. You do not want an email that has no evidence of an attack, but you also don't want 10 emails each with a little bit more as you do your research.
Example email:
To: abuse@example.com Cc: abuse@attacker.example.com Dear sirs, I've recently been attacked by a host which I believe to be on your network. I believe the attacker has remotely compromised my mailman application. The machine in question is remote.attacker.example.com. as you can see by the log below. If you require further logs or information, feel free to contact me. Thanks in Advance, -- Sean Jones System Administrator home.lan. # lsof | grep irc portmap 73690 mailman 9u IPv4 0xd5cc6540 0t0 TCP home.lan:4662->remote.attacker.example.com:ircd (ESTABLISHED) portmap 73690 mailman 10u IPv4 0xd5d91400 0t0 TCP home.lan:4663->remote.attacker.example.com:ircd (ESTABLISHED)