Have you tried the abuse email address associated with the company's netblock? I've used that with varying degrees of results. It seems like the larger organizations respond to the address, though you may not get the help you want. However, I have seen it work pretty well. The best experience I've seen was with an extremely large company. The security engineer emailed a summary of the event to the abuse address and had a positive response in short order. Within a week or two the event was fully diagnosed and resolved.
Jason On Mon, Oct 19, 2009 at 2:28 PM, Ben Greenfield <[email protected]> wrote: > I can't divulge a ton of information, but this is the scenario I'm looking > at: > 1)Client has server that gets malware infection > 2)Logs show server reaching out to an IP address for FTP > 3)IP used to have a DNS record for a mega corporation > 4)Client may be running product that legitimately accesses said IP, or > said IP may be compromised under said mega corporations nose or the IP > may no longer belong to said corporation. > > I've tried calling 3 different regional offices of the said > corporation looking for someone in either internal audit, internal > security, network operations, or public relations. Corporate > operators don't seem to want to help out of fear of violating policy > of not transferring callers, so I've only been able to get to tech > support (who blow this off because its not about said corporations > product) and a single person in public relations who isn't returning > calls (yet). > > How would you proceed? At this point I'm just trying to figure out if > the corporation does or does not own the IP anymore. I've obviously > already tried whois, reverse lookups, google, and the like. > > I think this also brings up another issue. In this case, I'm not even > sure the FTP server is malicious or not, I'm just trying to establish > ownership. What if I knew 100% that this thing was hosting malware - > it could ruin this corporations public image if that got out - yet > this corporation has no clear path for me to report this to them. > Obviously, in the hypothetical scenario full disclosure would be an > option, but both because I don't know for certain if the IP hosts > malware right now, and because I'm under NDA, that is not a > responsible or even possible option. > > So I guess I have two questions on this: > The philosophical - what's the best way for an organization to deal > with this scenario (ie making themselves available so they don't get > embarrassed with a full disclosure)? > The applied - If I can't get someone from public relations / network > operations / internal audit on the line because of the corporations > policies, how would you go forward in establishing ownership? > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > -- irc: Tadaka Twitter: Jason_Wood jwnetworkconsulting.com
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
