-----BEGIN PGP SIGNED MESSAGE-----


version 4.3.3
Dec. 15, 1997

                         CERT* Coordination Center
                          Incident Reporting Form

CERT/CC has developed the following form in an effort to gather incident
information. If you believe you are involved in an incident, we would
appreciate your completing the form below in as much detail as possible. If
you do not believe you are involved in an incident, but have a question,
send email to:

   cert@cert.org

The information is optional, but from our experience we have found that
having the answers to all the questions enables us to provide the best
assistance. Completing the form also helps avoid delays while we get back to
you requesting the information we need in order to help you.

Note that our policy is to keep any information specific to your site
confidential unless we receive your permission to release that information.

Feel free to duplicate any section as required. Return this form to:

   cert@cert.org

If you are unable to email this form, please send it by FAX. The CERT/CC FAX
number is:

   +1 412 268 6989

We would appreciate any feedback or comments you have on this Incident
Reporting Form. Please send your comments to:

   cert@cert.org

Please mark any section that does not apply to the incident as "N/A". Thank
you for your cooperation and help.

- ----------------------------------------------------------------------------

1  General Information

   1.1  Incident number (to be assigned by CERT/CC, e.g.
        CERT#xxxxx)...........................................:

   1.2  Reporting site information

      1.2.1  Name (e.g., CERT Coordination Center)............:
      1.2.2  Domain Name (e.g., cert.org).....................:
      1.2.3  Brief description of the organization............:
      1.2.4  Is your site an Internet Service Provider(Yes/No):

2  Contact Information

   2.1  Your contact information

      2.1.1  Name.............................................:
      2.1.2  Email address....................................:
      2.1.3  Telephone number.................................:
      2.1.4  FAX number.......................................:
      2.1.5  Pager number.....................................:
      2.1.6  Home telephone number (for our internal use only):
      2.1.7  Secure communication channel
         2.1.7.1  PGP.................................(Yes/No):
         2.1.7.2  PEM.................................(Yes/No):
         2.1.7.3  DES.................................(Yes/No):
         2.1.7.4  Secure telephone/FAX................(Yes/No):
         2.1.7.5  Other.......................(please specify):

   2.2  Additional site contact information (if available)

      2.2.1  Name.............................................:
      2.2.2  Email address....................................:
      2.2.3  Telephone number.................................:
      2.2.4  FAX number.......................................:
      2.2.5  Pager number.....................................:
      2.2.6  Home telephone number (for our internal use only):
      2.2.7  Secure communication channel
         2.2.7.1  PGP.................................(Yes/No):
         2.2.7.2  PEM.................................(Yes/No):
         2.2.7.3  DES.................................(Yes/No):
         2.2.7.4  Secure telephone/FAX................(Yes/No):
         2.2.7.5  Other.......................(please specify):

   2.3  Site security contact information (if applicable)

      2.3.1  Name.............................................:
      2.3.2  Email address....................................:
      2.3.3  Telephone number.................................:
      2.3.4  FAX number.......................................:
      2.3.5  Pager number.....................................:
      2.3.6  Home telephone number (for our internal use only):
      2.3.7  Secure communication channel
         2.3.7.1  PGP.................................(Yes/No):
         2.3.7.2  PEM.................................(Yes/No):
         2.3.7.3  DES.................................(Yes/No):
         2.3.7.4  Secure telephone/FAX................(Yes/No):
         2.3.7.5  Other.......................(please specify):

   2.4  Contact information for other site(s) involved in this
        incident (if available)

      2.4.1  Name.............................................:
      2.4.2  Email address....................................:
      2.4.3  Telephone number.................................:
      2.4.4  FAX number.......................................:
      2.4.5  Pager number.....................................:
      2.4.6  Home telephone number (for our internal use only):
      2.4.7  Secure communication channel
         2.4.7.1  PGP.................................(Yes/No):
         2.4.7.2  PEM.................................(Yes/No):
         2.4.7.3  DES.................................(Yes/No):
         2.4.7.4  Secure telephone/FAX................(Yes/No):
         2.4.7.5  Other.......................(please specify):

   2.5  Contact information for any other incident response
        team(s) (IRTs) that has/have been notified (if
        available)

      2.5.1  Name.............................................:
      2.5.2  Email address....................................:
      2.5.3  Telephone number.................................:
      2.5.4  FAX number.......................................:
      2.5.5  Pager number.....................................:
      2.5.6  Home telephone number (for our internal use only):
      2.5.7  IRT reference number.............................:
      2.5.8  Secure communication channel
         2.5.8.1  PGP.................................(Yes/No):
         2.5.8.2  PEM.................................(Yes/No):
         2.5.8.3  DES.................................(Yes/No):
         2.5.8.4  Secure telephone/FAX................(Yes/No):
         2.5.8.5  Other.......................(please specify):

   2.6  Contact information for any law enforcement agency(ies)
        that has/have been notified (if available)

      2.6.1  Agency Name......................................:
      2.6.2  Contact Name.....................................:
      2.6.3  Email address....................................:
      2.6.4  Telephone number.................................:
      2.6.5  FAX number.......................................:
      2.6.6  Pager number.....................................:
      2.6.7  Home telephone number (for our internal use only):
      2.6.8  Law enforcement reference number.................:
      2.6.9  Secure communication channel
         2.6.9.1  PGP.................................(Yes/No):
         2.6.9.2  PEM.................................(Yes/No):
         2.6.9.3  DES.................................(Yes/No):
         2.6.9.4  Secure telephone/FAX................(Yes/No):
         2.6.9.5  Other.......................(please specify):

3  Contacting Sites Involved

   We ask that reporting sites contact other sites involved in incident
   activity. Please let us know if you need assistance in obtaining contact
   information for the site(s) involved.

   When contacting the other sites, we would very much appreciate a cc
   to:

      cert@cert.org

   This helps us identify connections between incidents and understand
   the scope of intruder activity. We would also appreciate your including
   our incident number in the subject line of any correspondence relating to
   this incident if one has been assigned (see item 1.1).

   If you are unable to contact the involved sites, please get in touch
   with us to discuss how we can assist you.

   Disclosure information -- may we give the following types of
   information to

   3.1  The sites involved in this incident
      3.1.1  Your domain..............................(Yes/No):
      3.1.2  Your host(s) involved....................(Yes/No):
      3.1.3  Your contact information.................(Yes/No):

   3.2  Incident response teams, for sites from their
        constituencies involved in this incident

      3.2.1  Your domain..............................(Yes/No):
      3.2.2  Your host(s) involved....................(Yes/No):
      3.2.3  Your contact information.................(Yes/No):

   3.3  Law enforcement agency(ies)

      3.3.1  Your domain..............................(Yes/No):
      3.3.2  Your host(s) involved....................(Yes/No):
      3.3.3  Your contact information.................(Yes/No):

4  Host Information

   4.1  Number of hosts affected

      4.1.1  At your site.....................................:
      4.1.2  At other sites...................................:

   4.2  Host(s) involved at your site. Please duplicate section
        4.2 for each host involved in the incident.

      4.2.1  Hostname or host identifier......................:
      4.2.2  Network type.....................................:
      4.2.3  Host address(es).................................:
      4.2.4  Vendor hardware, OS, and version.................:
      4.2.5  Security patches applied and/or installed as
             currently recommended by the vendor and CERT/CC
             .................................(Yes/No/Unknown):
      4.2.6  Function(s) of the involved host
         4.2.6.1  Single user workstation.............(Yes/No):
         4.2.6.2  Multi user workstation..............(Yes/No):
         4.2.6.3  Network file server.................(Yes/No):
         4.2.6.4  Router..............................(Yes/No):
         4.2.6.5  Terminal server.....................(Yes/No):
         4.2.6.6  Other (e.g. mail hub, information server,
                  internal DNS, external DNS, etc.)...........:

      4.2.7  Where on the network is the involved host (e.g.
             backbone, subnet, behind firewall, etc.).........:
      4.2.8  Nature of the information at risk on the involved
             host (e.g., router configuration, proprietary,
             personnel, financial, etc.)......................:
      4.2.9  Time zone of the involved host (relative to GMT).:
      4.2.10 In the attack, was this host the source, the
             victim, or both..................................:
      4.2.11 Was this host compromised as a result of this
             attack...................................(Yes/No):
      4.2.12 What software upgrades or configuration changes
             have you made recently to the affected systems...:
      4.2.13 Have you contacted (or do you plan to contact) the
             system administrators for affected systems at your
             site for which you are not responsible...(Yes/No):

   4.3  Host(s) involved at other other sites. Please duplicate
        section 4.3 for each host involved in the incident.

      4.3.1  Hostname or host identifier......................:
      4.3.2  Network type.....................................:
      4.3.3  Host address(es).................................:
      4.3.4  Vendor hardware, OS, and version.................:
      4.3.5  Has the site been notified...............(Yes/No):
      4.3.6  In the attack, was this host the source, the
             victim, or both..................................:
      4.3.7  Was this host compromised as a result of this
             attack...........................(Yes/No/Unknown):
      4.3.8  Have you contacted (or do you plan to contact) the
             system administrators for affected systems at
             other sites..............................(Yes/No):

5  Incident Categories

   5.1  Anonymous FTP abuse...........................(Yes/No):
   5.2  Break-in......................................(Yes/No):
      5.2.1  Intruder gained privileged access........(Yes/No):
      5.2.2  Intruder installed Trojan horse program(s)
             .........................................(Yes/No):
      5.2.3  Intruder installed packet sniffer........(Yes/No):
         5.2.3.1  What was the full pathname(s) of the sniffer
                  output file(s)..............................:
         5.2.3.2  How many sessions did the sniffer log.......:
      5.2.4  Cracked password.........................(Yes/No):
      5.2.5  Easily-guessable password................(Yes/No):
      5.2.6  FTP attack...............................(Yes/No):
      5.2.7  NIS (yellow pages) attack................(Yes/No):
      5.2.8  NFS attack...............................(Yes/No):
      5.2.9  Rlogin or rsh attack.....................(Yes/No):
      5.2.10 Telnet attack............................(Yes/No):
      5.2.11 TFTP attack..............................(Yes/No):
   5.3  Configuration error...........................(Yes/No):
      5.3.1  Type of configuration error......(please specify):
   5.4  Denial of service attack......................(Yes/No):
      5.4.1  What service was denied..........................:
      5.4.2  How was service denied...........................:
   5.5  Email bombardment.............................(Yes/No):
      5.5.1  Was this email bombardment successful....(Yes/No):
   5.6  Email Spoofing................................(Yes/No):
   5.7  IP spoofing...................................(Yes/No):
   5.8  Misuse of host resources......................(Yes/No):
   5.9  Prank.........................................(Yes/No):
   5.10 Probe.........................................(Yes/No):
   5.11 Product vulnerability.........................(Yes/No):
      5.11.1  Was the vulnerability exploited.(please specify):
   5.12 Scam..........................................(Yes/No):
   5.13 Scan..........................................(Yes/No):
   5.14 Sendmail attack...............................(Yes/No):
      5.14.1  Did this attack result in a compromise..(Yes/No):
   5.15 Worm..........................................(Yes/No):
   5.16 Other.................................(please specify):

6  Detailed description of the incident

   6.1  Please complete in as much detail as possible

      6.1.1  Date and duration of incident....................:
      6.1.2  Suspected method of intrusion (e.g., name of
             virus, name of exploit script, etc.).............:
      6.1.3  How you discovered the incident..................:
      6.1.4  Details of vulnerabilities exploited that are not
             addressed in previous sections...................:
      6.1.5  The source of the attack (if known)..............:
      6.1.6  Steps taken to address the incident (e.g.,
             binaries reinstalled, patches applied)...........:
      6.1.7  Planned steps to address the incident (if any)...:
      6.1.8  Do you plan to start using any of the tools listed
             in section 7.0...................................:
         6.1.8.1  Please list tools expected to use...........:
      6.1.9  Aspects of the incident not covered above........:

   6.2  Please indicate if any of the following were left on
        your system by the intruder

      6.2.1  Intruder tool output (such as packet sniffer
             output logs).............................(Yes/No):
      6.2.2  Tools/scripts to exploit vulnerabilities.(Yes/No):
      6.2.3  Source code programs (such as Trojan horse
             programs, sniffer programs)..............(Yes/No):
      6.2.4  Binary code programs (such as Trojan horse
             programs, sniffer programs)..............(Yes/No):
      6.2.5  Hidden files/directories.................(Yes/No):
      6.2.6  Virus infected files.....................(Yes/No):
      6.2.7  Other files......................(please specify):

7  Security Tools

   7.1  At the time of the incident, were you using any of the
        following security tools

      7.1.1  Authentication/Password tools

         7.1.1.1  Crack.....................(Yes/No/How Often):
         7.1.1.2  Kerberos............................(Yes/No):
         7.1.1.3  One-time passwords..................(Yes/No):
         7.1.1.4  Proactive password checkers.........(Yes/No):
         7.1.1.5  Shadow passwords....................(Yes/No):

      7.1.2  File Integrity Checking tools

         7.1.2.1  MD5.......................(Yes/No/How Often):
         7.1.2.2  Tripwire..................(Yes/No/How Often):

      7.1.3  Multi-purpose tools

         7.1.3.1  C2 security.........................(Yes/No):
         7.1.3.2  COPS......................(Yes/No/How Often):
         7.1.3.3  TAMU Tiger................(Yes/No/How Often):

      7.1.4  Network Monitoring tools

         7.1.4.1  Argus...............................(Yes/No):
         7.1.4.2  TAMU Netlog.........................(Yes/No):

      7.1.5  Service filtering tools

         7.1.5.1  Firewall....................(please specify):
         7.1.5.2  Host access control via modified daemons or
                  wrappers............................(Yes/No):
         7.1.5.3  TAMU Drawbridge.....................(Yes/No):
         7.1.5.4  TCP access control using packet filtering
                  ....................................(Yes/No):

      7.1.6  Vulnerability Scanning tools

         7.1.6.1  ISS.......................(Yes/No/How Often):
         7.1.6.2  SATAN.....................(Yes/No/How Often):

      7.1.7  Miscellaneous tools

         7.1.7.1  Append-only file systems............(Yes/No):
         7.1.7.2  cpm.................................(Yes/No):
         7.1.7.3  lsof................................(Yes/No):
         7.1.7.4  smrsh...............................(Yes/No):

      7.1.8  Other tools......................(please specify):

   7.2  At the time of the incident, which of the following
        logs were you using, if any

      7.2.1  Process accounting.......................(Yes/No):
      7.2.2  syslog...................................(Yes/No):
      7.2.3  TCP wrapper..............................(Yes/No):
      7.2.4  utmp.....................................(Yes/No):
      7.2.5  wtmp.....................................(Yes/No):

   7.3  What do you believe to be the reliability and integrity
        of these logs

      7.3.1  Do you believe the logs are reliable.....(Yes/No):
      7.3.2  Are the logs stored on read-only media...(Yes/No):
      7.3.3  Are the logs stored on another host......(Yes/No):
      7.3.4  Other reasons you believe logs are reliable
             .................................(please specify):

8  Other information

   8.1  What assistance would you like from CERT/CC...........:

   8.2  Please append any log information or directory listings
        and time zone information relative to GMT to the end of
        this document.........................................:


Copyright 1997 Carnegie Mellon University

This form may be reproduced and distributed without permission provided it
is used for non commercial purposes and the CERT Coordination Center is
acknowledged.

*CERT is registered in U.S. Patent and Trademark Office

The CERT Coordination Center is part of the Software Engineering Institute.
The Software Engineering Institute is operated by Carnegie Mellon University
for the U. S. Department of Defense.


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBNSzXy3VP+x0t4w7BAQF2MQP/V94lel/3Bz+ib6O7cI0aMaMSWGyzzrp0
MDTKdetx6bHWuKttdH20DcRr7nyogkHmdX7TRf38SXX3VK6FTiAxHLEYzuQQZii6
klLGUqzmTDEwO7SkRdVo3Dkv2coGt3yiknN0y6GeQ43anqWLQY38Opbuw0JGuL03
zclQbNnmB1Q=
=Firz
-----END PGP SIGNATURE-----
