The portion of the mail that starts out "Greetings" is what we originally sent to him.
From: "Peyton T. Collie" (firstname.lastname@example.org) To: "'hacked[at]attrition.org '" (hacked[at]attrition.org) Date: Mon, 30 Apr 2001 16:49:21 -0400 Subject: RE: Urgent! Security incident on your machine! www.webmajestics.c om Greetings? Your firm illegally hacked and damaged our servers, costing our clients money. We are seeking legal action and you have been reported to all major players in the security, legal and governmental arenas. In addition we are filing complaints with the BBB, and any and all legal related firms to notify them of your activities! We do not take this lightly! Greetings. You are being contacted because you are listed as an Internic contact for the domain referred to. Attrition.org is a non-profit, hobby web site that monitors computer crime on the internet. In the past few minutes, we have been notified that your domain was hacked, and your web page defaced. This means that the intruder has edited your web page in some way. Due to this, it is quite likely that one or all of the machines on your network are compromised. You may wish to take immediate action to correct this problem and respond to the intrusion. One of the free services attrition.org offers is mirroring defaced pages to aid in statistics on computer crime. The various archives of information we maintain is used by security professionals and law enforcement every day. We comply with all law enforcement subpoenas for information related to the intrusion; however, for the purposes of fairness in reporting, we do not reveal the identities of defacers other than as shown on the defaced web page. Attrition offers free security advice and assistance to sites experiencing trouble. We can also recommend unaffiliated security companies should you feel the need for more extensive analysis; please mail staff[at]attrition.org, and we'll be happy to help. We are not a security company and have no product or service to sell. We'd also like to assure you that we had no advanced knowledge of the intrusion. Any reference to attrition.org in your logs is due to our mirroring utility. Any greeting or reference to Attrition on the actual web page is beyond our control. You are one of over three thousand administrators we have contacted in this manner. Attrition has already notified the appropriate CERT teams that would be interested in this incident. Despite this, you should still contact the appropriate CERT with followup information. They can provide recommendations for recovering and dealing with this incident. If you receive any additional mail from a security company or vendor, we'd like to state up front that we are in no way affiliated with them. We have found out that some security companies prey on victims of web defacement to solicit their products or services. If you receive such mail, please forward the full text with headers to us so that we can confront them. Please feel free to mail us if you have any questions or would like assistance. For more on security and incident response: http://ciac.llnl.gov For more on computer forensics and preservation of evidence: http://www.forensics-intl.com/info.html http://www.nwo.net/null/recovery.html For the latest on vulnerabilities and good security practice: http://www.securityfocus.com Hardening WindowsNT4 http://www.networkcommand.com/NTSEC/paranoid.html Contacting Law Enforcement http://www.fbi.gov/contact/fo/fo.htm The Attrition Mirror: http://www.attrition.org/mirror/ Security Advisory Archive: http://www.attrition.org/security/advisory/ For the latest on computer crime and news: http://www.hackernews.com/ Contacting us: staff[at]attrition.org