Halliburton's ear is to the ground?

[Et in Arcadia ego]

I must be moving up in the world, I scored my own hit:<br><br><!--EZCODE LINK START--><a href="http://img283.imageshack.us/my.php?image=attackdetection8ri.jpg"><!--EZCODE IMAGE START--><img src="http://=http://img283.imageshack.us/img283/9651/attackdetection8ri.th"/><!--EZCODE IMAGE END--</a><!--EZCODE LINK END--><br><br>All I can get from my aquaintance is that they're looking into it. <p></p><i>Edited by: <A HREF=http://p216.ezboard.com/brigorousintuition.showUserPublicProfile?gid=etinarcadiaego@rigorousintuition>et in Arcadia ego</A> at: 4/26/06 8:39 am<br></i>

[thoughtographer]

Interesting. Is that the first one you've had?<br><!--EZCODE QUOTE START--><blockquote><strong><em>Quote:</em></strong><hr>OrgAbuseHandle: IAP2-ARIN<br>OrgAbuseName: IP Abuse POC<br>OrgAbusePhone: +1-281-575-3000<br>OrgAbuseEmail: ipabuse@halliburton.com<hr></blockquote><!--EZCODE QUOTE END--><br>Maybe make a "legitimate" abuse claim through the "proper" channels, and see how they handle it? <p><!--EZCODE ITALIC START--><em>"A crooked stick will cast a crooked shadow."</em><!--EZCODE ITALIC END--></p><i></i>

[Et in Arcadia ego]

Yeah, that's the first I've seen personally on my own machine. SAP had an amusing comment when I posted the screenshot:<br><br>"That would be great- Sickle could be an "off the books enforcer of halliburton IT security" <br><br>At least we have humor..<br> <p></p><i></i>

[Et in Arcadia ego]

<!--EZCODE QUOTE START--><blockquote><strong><em>Quote:</em></strong><hr>Maybe make a "legitimate" abuse claim through the "proper" channels, and see how they handle it?<hr></blockquote><!--EZCODE QUOTE END--><br><br>Just sent an email. <p></p><i></i>

[Et in Arcadia ego]

And the reply came back in less than 5 minutes:<br><br>To Whom It May Concern:<br><br> <br><br>Only a small subset of the 34.x.x.x address space you have referenced in<br>your email is published on the internet; therefore any network traffic<br>such as port scanning or unsolicited email from outside the<br>34.248.0.0/13 range has been spoofed and is not originating from our<br>network.<br><br> <br><br>Halliburton is aware of the impact and is against the sending of<br>unsolicited direct marketing emails and takes every measure possible to<br>verify that we are not the source of any unsolicited emails or<br>unauthorized port scanning.<br><br> <br><br>If you are seeing unwarranted network traffic to your computer from a<br>34.x.x.x address the ip header information has been modified to display<br>an incorrect address and is not originating from our network.<br><br> <br><br>We apologize for the inconvenience and understand the frustration<br>involved in these types of annoyances, but currently we are unable to<br>assist any further in locating the origin of the email or network<br>traffic that you are reporting.<br><br> <br><br>To learn more here is a link to an anti-spam site <!--EZCODE AUTOLINK START--><a href="http://spam.abuse.net">spam.abuse.net</a><!--EZCODE AUTOLINK END--><br><<!--EZCODE AUTOLINK START--><a href="http://spam.abuse.net/>">spam.abuse.net/></a><!--EZCODE AUTOLINK END--> <br><br>To learn more about port scanning see<br><!--EZCODE AUTOLINK START--><a href="http://www.cs.wright.edu/~pmateti/Courses/499/Probing/">www.cs.wright.edu/~pmatet...9/Probing/</a><!--EZCODE AUTOLINK END--> <br><br>To learn more about IP Spoofing see<br><<!--EZCODE AUTOLINK START--><a href="http://www.securityfocus.com/infocus/1674>">www.securityfocus.com/infocus/1674></a><!--EZCODE AUTOLINK END--><br><!--EZCODE AUTOLINK START--><a href="http://www.securityfocus.com/infocus/1674">www.securityfocus.com/infocus/1674</a><!--EZCODE AUTOLINK END--><br><br> <br><br> <br><br>UPDATE 4-1-2006: If your email referenced the ip address 34.168.1.34<br>this address is not active on our network and the packet header has been<br>modified to hide the true identity of the originating source. We have<br>collected a large amount of data pertaining to this traffic and<br>contacted law enforcement officials to pursue the responsible parties.<br>If you wish to take further precautions we recommend blocking traffic<br>outside the 34.248.0.0/13 subnet of the 34.0.0.0/8 network using your<br>firewall or other tools.<br><br> <br><br> <br><br>HALLIBURTON<br><br>Internet Traffic Task Force<br><br>Houston, TX 77042-3021<br><br>ipabuse@halliburton.com <p></p><i></i>

[thoughtographer]

Given the number of complaints I've seen regarding that specific address so far, it doesn't surprise me that they have a canned response prepared for these reports.<br><br>Someone who's a repeated target should capture the packets and publish the information for public analysis. Or, maybe a honeypot machine could be set up. <p><!--EZCODE ITALIC START--><em>"A crooked stick will cast a crooked shadow."</em><!--EZCODE ITALIC END--></p><i></i>

[Et in Arcadia ego]

How does one go about capturing the packets? Also, note the date of the update part of the email: 4-1-2006. Apparently, this has been going on for some time before that date.. <p></p><i>Edited by: <A HREF=http://p216.ezboard.com/brigorousintuition.showUserPublicProfile?gid=etinarcadiaego@rigorousintuition>et in Arcadia ego</A> at: 4/26/06 10:45 am<br></i>

[thoughtographer]

<!--EZCODE QUOTE START--><blockquote><strong><em>Quote:</em></strong><hr>How does one go about capturing the packets?<hr></blockquote><!--EZCODE QUOTE END--><br>What platform are you using? For Windows, <!--EZCODE LINK START--><a href="http://www.winpcap.org/">WinPcap</a><!--EZCODE LINK END--> will get the job done -- <!--EZCODE LINK START--><a href="http://www.ethereal.com/">Ethereal</a><!--EZCODE LINK END--> is also quite popular. If you're using Linux, a BSD derivative or some other UNIX variant, you probably wouldn't be asking, but the tools are many and varied -- some usually being packaged with the OS.<br><br><!--EZCODE QUOTE START--><blockquote><strong><em>Quote:</em></strong><hr>Also, note the date of the update part of the email: 4-1-2006. Apparently, this has been going on for some time before that date..<hr></blockquote><!--EZCODE QUOTE END--><br>Yeah, I did notice that. April Fool's! Someone must have started early. In a way, if this is similar in intention to the "pointing at poindexter" efforts starting in 2002, I'd almost like to see it continue as long as it's just knocking on people's door and not actually intruding and causing damage. If the intent is malicious, then it's reprehensible on many levels, regardless of the source. <p><!--EZCODE ITALIC START--><em>"A crooked stick will cast a crooked shadow."</em><!--EZCODE ITALIC END--></p><i></i>

[Et in Arcadia ego]

I'm on windoze. Will those apps do their job from behind my firewall, or..<br><br>I don't know jack about doing this kind of stuff, tbh. <p></p><i></i>

[thoughtographer]

The short answer is "yes", you can use these from behind your firewall but of course, the specifics of the issue is where the problems come up. Worst case would be that you'd have to redirect the targeted ports to point at the machine running the capture application. I'd be willing to help if you could give me some specifics -- I may be able to walk you through if you need help. The problem is, that you'd need to capture a large amount of packets in order to get a hit, which is why it would be more fruitful to set up a honeypot machine to provoke the attack and capture the attack to study it. The headers and payload (if any) of any packets coming from the suspect IP could then be examined at your leisure, or offered for other users for public examination. I don't linger in the communities who do this type of thing, so I wouldn't really no where to start, but I've been thinking about this sort of thing lately. I would suspect that not many people (present comany account for, of course) consider the parapolitical implications of spurious network activity like this. <p><!--EZCODE ITALIC START--><em>"A crooked stick will cast a crooked shadow."</em><!--EZCODE ITALIC END--></p><i>Edited by: <A HREF=http://p216.ezboard.com/brigorousintuition.showUserPublicProfile?gid=thoughtographer>thoughtographer</A> at: 4/26/06 6:43 pm<br></i>