On Fri, 29 Aug 2008 09:51:39 +0200 Sagr spamcatcher@suffolk-ancestor-genealogy-research.co.uk allegedly wrote:
Thanks to MJR, Wayne, Adrian, Dan and others who offered advice. We have now finished rebuilding my friend’s server and now the dust has settled and the anger and frustration has died down we have to admit it has not been a totally bad experience. It provided us with a good excuse, and opportunity, to reinstall everything from the ground up and made us realise what an enormous collection of no-longer-used scripts he had collected on his old machine; they were very handy at the time he installed them but he had forgotten to remove them once the need had passed.
My apologies for coming late to this discussion, but I have just returned from a holiday on the Isle of Man.
Firstly I would like to echo the views already expressed about any thoughts of counter attack. Just don't. Apart from being illegal, it would be pointless. In all probability the "attacking" IP is an innocent third party previously compromised and now part of a botnet. It /is/ however, worth contacting the "abuse@" address of the ISP hosting that address. At the very least they will wish to know that they are hosting potential hostiles.
Secondly, please do try to contact your local police and ask for the computer crime team. Many forces do now have some expertise in computer forensics and may be able to help. But don't be surprised if the first person you talk to is not sure how to help. Be persistent. Unfortunately, the old NHTCU no longer exists, but some forces, notably the Met CCU, have some very good and enthusiastic officers willing to help.
Thirdly, please do /not/ go direct to CERT at Carnegie Mellon. Instead contact the UK CSIRT at csirtuk@cpni.gsi.gov.uk if you wish to send sensitive information (their public key may be found at http://www.cpni.gov.uk/key.aspx) or if you just want to report the general outlines of the attack, then send an email to infosec@cpni.gov.uk. (See http://www.cpni.gov.uk/MethodsOfAttack/report.aspx for details).
CPNI is the national authority for protective security advice in the UK. It subsumed the responsibilities of the old NISCC last year but still includes the old CSIRT responsibilites. CPNI's focus is on national infrastucture protection (hence the name) so they pay particular attention to attacks on things like telcos, energy providers etc. but they do like to know about wider attack patterns because it adds to their intelligence about activity in the UK. After all, attacks have to come from somewhere and national CERTS routinely share information about attack profiles and patterns. Each national CERT relies upon the intelligence it gains from such trusted partners to enble them to do their jobs. So even if you believe that CSIRTUK won't care about a partticular attack, they might see it as a symptom of a wider pattern of activity. Or they might be seeing reports of attacks on other nations coming from IPs in the UK. In such case they would almost certainly like to know about your (apparently minor) incident - particularly if it gave them the possiblity of getting hold of malware samples or attack signatures (one more reason to careful in your clean up).
CPNI also provide some useful advice at http://www.cpni.gov.uk/MethodsOfAttack/electronic.aspx See for example the First Responders Guide at http://www.cpni.gov.uk/Docs/re-20051004-00868.pdf. There is also a lot of helpful guidance at http://www.cpni.gov.uk/Products/technical.aspx
Mick
---------------------------------------------------------------------
The text file for RFC 854 contains exactly 854 lines. Do you think there is any cosmic significance in this?
Douglas E Comer - Internetworking with TCP/IP Volume 1
http://www.ietf.org/rfc/rfc854.txt ---------------------------------------------------------------------