Someone just forwarded an e-mail warning from CERT. The e-mail reads as follows:

US-CERT has received a report today, indicating that extensive attacks and system compromises (exploit unknown at this time) have originated from the following IP addresses.

200.128/16
200.222.216.133
200.149.99.228

Very little technical detail is available at this time. US-CERT requests that each recipient check your logs from 1 Jan 05 to present. Provide US-CERT or Control Systems Center your results either positive or negative.

Preliminary analysis indicates that the activity initiated from these IPs appear to have been made by a group rather than an individual. More than 526 exploit attempts have been noted. The attacks seem to have targeted specific IPs, not ranges of IPs. Only servers were attacked. No desktop machines were observed to be scanned or targeted for attack. Initial attacks were automated, followed by manual hands-on attacks. All of the attacked servers were running a Microsoft Windows Operating System and at least one was fully patched when compromised.

Please disseminate to your owner operators ASAP so US-CERT can judge the national impact of these compromised systems.

Please review any contact with the above systems through logs, fw's, and IDS's and report back through the ISAC or directly to US-CERT or me directly at david.n.sanders@dhs.gov. I cannot stress enough the seriousness of these attacks. Response teams have been deployed to deal with system compromises from NCSD.
best regards,

David N Sanders
Director, Control Systems Center
National Cyber Security Division
Department of Homeleand Security
703-915-8769
703-235-5193


Now I checked CERT (I still am) and couldn't find anything, so I thought I'd check here to see if anyone has got any info on this or if it's just a Hoax.

Cheers:

A cursory glance at us-cert.gov shows nothing. Digging a bit through the official Dept. of Homeland Security site doesn't show any Control Systems Center, nor a Director David N Sanders. A google of 'control systems center site:dhs.gov' returns -0- hits, and a search for Sanders at same doesn't return a David N Sanders.

It's some sort of hoax, joke(?), or spam, I'd bet. It could still be legit, I'm not the first person to not have known of the existence of an organization within the US federal gov't (hehe), but I'd question the source that forwarded it to you. I haven't bothered to check the phone numbers via a reverse lookup. I'm on the CERT mailing list, and this is unfamiliar to me.

If anything, it is a social engineering/spam-smurf attack against the email box of david.n.snaders@dhs.gov ...which makes it elementary but ingenious inmy book. Send out an official looking message, asking for tons of log's to be sent to an email address of some prominent official who you want to bog down... ;)

/* edit for my sh!tty grammar */

Looks like a hoax........................

526 exploit attempts....................chickenfeed!

Uruguay??????????????

c'mon



:)

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=265522#post819010) by zencoder
A cursory glance at us-cert-gov shows nothing. Digging a bit through the official Dept. of Homeland Security doesn't show an Control Systems Center, nor a Director David N Sanders. A google of control systems center site:dhs.gov returns -0- hits, and a search for Sanders at same doesn't return a David N Sanders.

It's some sort of hoax, bs, or spam, I'd bet. It could still be legit, I'm not the first person to now have known of the existence of an organization within the US federal gov't (hehe), but I'd question the source that forwarded it to you. I haven't bothered to check the phone numbers via a reverse lookup. I'm on the CERT mailing list, and this is unfamiliar to me.

If anything, it is a social engineering/spam-smurf attack against the email box of david.n.snaders@dhs.gov ...which makes it elementary but ingenious inmy book. Send out an official looking message, asking for tons of log's to be sent to an email address of some prominent official who you want to bog down... ;)

My source said he copied it directly from here:

https://us-cert.esportals.net/member/mail3/index.cfm?id=10987&compartmentP=2135

Now I am not a member so I can't log-in to verify.

Cheers:

I don't think that security alerts of that nature come out on secure sites, it would kind of defeat the object would it not?

On the other hand, as it cannot be readily verified or otherwise?.....................

EDIT:

Department of Homeland Security, National Cyber Security Division

Mr. Sanders is the Director of the Critical Infrastructure Protection and Cyber Security within the Department of Homeland Security, National Cyber Security Division. The National Cyber Security Division provides for 24 x 7 cyber security functions, including conducting cyberspace analysis, issuing alerts and warning, improving information sharing, responding to major incidents, and aiding in national-level recovery efforts.

Most recently Mr. Sanders was the founder and President of the information security firm Securicon. He served as an executive level consultant to some of the largest corporate and government agencies in the world on matters of information security and risk management. Previously, Mr. Sanders was the Senior Security Consultant for Riptech, Inc. until its acquisition by Symantec Corporation.

Mr. Sanders spent 20 years in the United States Army and served in a variety of assignments including Infantry, Armor, tactical and strategic satellite, and with the National Command Authority.

David.N.Sanders@dhs.gov

Office: 703-915-8769

It may be an internal request. Upon following the link and being greeted by:
ATTENTION:
This is a restricted system.
Unauthorized use of this system is prohibited.

and seeing Secure Portal User Login at the top, I don't think this is intended for mass distribution. I don't know if its a major problem that it's out, but then I could be wrong. Anyone bother to see where those IP's are from? I don' recognize the 200. octet.

Montivideo, Uruguay

:D

200.122.216.133 =Brazil
telmar.net.br

???
MLF

Yes, it is Brasil,

new whois tool :)

This is what CIAC have to say:

Real warnings about viruses and other network problems are issued by computer security response teams (CIAC, CERT, ASSIST, NASIRC, etc.) and are digitally signed by the sending team using PGP

No digital signature?

Hey, it must be boring at CERT, maybe that's just a joke internal only type thing that they write up just for kicks.
Or it could be real and you're not supposed to be sending it around.

200.0.0.0 is on my block list, I have had strange and questionable traffic from here. I don't need to get any traffic from here so I just block the subnet.

No offense Brazil... I still love Brazil =)

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=265522#post819049) by chsh

Or it could be real and you're not supposed to be sending it around.

You may be right chsh, however, if it is real and it's having am impact on the "members" of that site, does it not effect us all. Why are we (the unwashed security professionals) not allowed to have access to this infomation which may (or may not) have an impact on the networks we are paid to protect?

If there is something going on out there, don't we all have to know about it so we can take steps to protect/stop the attackes?

Cheers:

Department of Homeleand Security

^^^^

Never knew the Department of Homeland Security changed their names.

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=265522#post819055) by DjM
(the unwashed security professionals)

First off ... ROTFL ... nice! I like that muchly, and will use it to skewer my DoD-employed bretheren at the next InfoSec Geek Association meeting I go to (there's a heavy US gov't presence in my home city, so a large portion of our group is from Military/gov't contract agencies. Read: clearances, and lot's of them.)

OK...you've answered your own question. Since when does the federal government (here in Apple Pie land) tell us everything they are doing? Also, I'd say the message looks like they are trying to gather info and assess what is going on...so why make a big announcement that says "We are tracking something! Maybe! It could be nothing, really, but we don't know yet! More to come later!"

It's probably a 'short list announcement/request for info' so they can figure out what it really is they're seeing, or what the scope of a known issue really is. Then we'll know (or maybe not) when they make a formal announcement (or not.)

Yup, request for info:
Please disseminate to your owner operators ASAP so US-CERT can judge the national impact of these compromised systems.
They are still trying to figure out WTF, over?

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=265522#post819057) by zencoder
Since when does the federal government (here in Apple Pie land) tell us everything they are doing?

Correct me if I am wrong, but when did CERT become controlled by the federal government? Now I know a lot has changed, but I thought CERT was a public service resource.

I go with the old saying, if we are not part of the solution, we are then part of the problem, we need information in order to help with that.

my 2 cents (Canadian)

Cheers:

CERT changed sometime after 9/11

Department of Homeleand Security

About the same time the little bastards forgot how to spell............. :D

That is the footer/signature.............it does not get re-typed every time if the communication is genuine...........................

526 "ATTACKS" not systems taken over...............hell that is a real threat to national security...........unless of course they are NORAD, COMSUBPAC, SAC and the rest.......................

HOAX......................... :cool:

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=265522#post819061) by nihil
CERT changed sometime after 9/11

True, but why haven't some other sites started to post about these attacks, most notablity the Internet Storm Center (http://isc.sans.org/).

They, IMHO are a lot faster at picking up these things than CERT.

Cheers:

Good eye Nihil

About the same time the little bastards forgot how to spell.............

MLF

Actually Morgana, it was TT who confirmed it to me............it was not a correct English spelling, but we are used to differences between UK and US spellings :D

The numbers are all wrong.....................526?.................someone like CERT does not publish until they know...............

DjM called it:

They, IMHO are a lot faster at picking up these things than CERT

;)

My source said he copied it directly from here:

https://us-cert.esportals.net/membe...mpartmentP=2135

Now I am not a member so I can't log-in to verify.

Cheers:

The uri above points to a page connected to these people: http://www.espgroup.net/ns_4x/index.htm

Does cert not host there own web pages?

I think the key being missed in most of the discussion here is that fact that the page is not accessible to the general public. You must have a login to the site to *properly* access the information. So despite whatever US-CERT/DHS does behind the scenes to gather information and track trends, this is not an official alert or anything of the sort. Keep that in mind when looking through this thread. This is something that was forwarded and posted here...NOT a public announcement.

Hmmmmmm,

The site referred to has now vanished

::hide-beh

I guess it was getting too many hits?

The site is still up. The quoted link tends to shrink down with extra ellipses. You can access it here (https://us-cert.esportals.net/member/mail3/index.cfm?id=10987&compartmentP=2135).

You know, perhaps for future reference (and I'm surprised no one asked) but check the header info to verify the source of the email?

Additionally, has anyone notified CERT as a potential attempt to phish for the accounts of those going to the real version of this site?

Interestingly, there is also this site (https://odp.esportals.com/).

Seems to me that the US gov't wouldn't do this and if these were legit (which I question if they are) there'd be a link from here (http://www.dhs.gov/dhspublic/index.jsp)

Well esportals, espgroup and this lot:

http://www.semperfiglobal.com/main.htm

Seem a bit too complex for a phishing attack. There is a demo of the esportals service about half way down the semperfi site.

Cybercops is another outfit that uses them.

Is this not typical of a hoax?...............they usually quote Microsoft, or IBM or Symantec or some other "reliable" source.....................this is a bit more subtle...........a secure security related site, that you cannot check out.

Seems to me that the US gov't wouldn't do this

I am not so sure, there does seem to be a tendency for them to outsource/subcontract all sorts these days, and as this seems to relate to interfaces with the public sector, it would provide a sort of cordon sanitaire?

EDIT here is some more info about the secure portal:

http://64.233.183.104/search?q=cache:Fu6hf9w_stQJ:www.dem.dcc.state.nc.us/HomelandSecurity/library/ODP/info101SecurePortalFacts.pdf+esportals&hl=en

This is an interesting overview of how the portal is secured:

http://www.securitymanagement.com/library/001627.html

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=265522#post819115) by MsMittens
[B]The site is still up.

You know, perhaps for future reference (and I'm surprised no one asked) but check the header info to verify the source of the email?

Additionally, has anyone notified CERT as a potential attempt to phish for the accounts of those going to the real version of this site?

The e-mail was sent to me from an employee of our company (header records confirmed), this employee say's he has access to that site and the information in the e-mail was a cut and paste from the site. Now before you ask, I can't go see the employee to verify (he's about 3000 miles from me) and he doesn't want to pass on his id and password to me. (I trained him well :D )

I have sent an e-mail to CERT, but as yet, I have had no reply.

Cheers: