MOREnet Incident Response Team Incident Reporting - Short Form Reviewed: 03/09/2000 Revised: 03/09/2000 Instructions: MOREnet has developed the following form in an effort to gather incident information. If you believe you are involved in an incident, we would appreciate your completing the form below in as much detail as possible. If you do not believe you are involved in an incident, but have a question, send email to: security@more.net The information is optional, but from our experience we have found that having the answers to all the questions enables us to provide the best assistance. Completing the form also helps avoid delays while we get back to you requesting the information we need in order to help you. Note that our policy is to keep any information specific to your site confidential unless we receive your permission to release that information. Feel free to duplicate any section as required. Return this form to: security@more.net You may copy and paste this form into an e-mail message; download a text copy here, edit it and send it via e-mail; or print it out and fax it to: +1 573 884 7699 If you believe your mail server to be compromised, please do NOT send unencrypted e-mail through it to notify us. For users of Pretty Good Privacy, you may find our public PGP keys here. You may send the mail via another account through an outside connection, fax the form, or call us at 1-800-509-6673 for an alternate out-of-band contact medium. We appreciate any feedback or comments you have on this Incident Reporting Form. Please send your comments to: security@more.net Please mark any section that does not apply to the incident as "N/A". Thank you for your cooperation and help. ------------------------------------- 1. General Information 1.1 Incident number (to be assigned by MOREnet Security, e.g. MOREnet TR #xxxxx): 1.2 Reporting Site Information 1.2.1 Date/Time of report.......................: 1.2.2 Name......................................: 1.2.3 Organization name.........................: 1.2.4 Title.....................................: 1.2.5 Telephone number..........................: 1.2.6 Fax number................................: 1.2.7 E-mail address............................: 1.2.8 Domain name (e.g., more.net)..............: 1.2.9 Other contact info (e.g., Pager, Cellular): 2. Incident Information 2.1 System Information 2.1.2 Physical location of affected system(s).........................: 2.1.3 Purpose of system(s)............................................: 2.1.4 Current status..................................................: 2.1.5 Operating system(s) of affected machine(s)......................: 2.1.6 Type of security in place (e.g., Firewall, IDS).................: 2.1.7 Can you provide logs or corroboration for the incident?.........: 2.2 Intrusion/Attack Information 2.2.1 Date/Time of incident...............................: 2.2.2 Nature of problem...................................: 2.2.3 Type of intrusion/attack (e.g., Trojan, Port Scan)..: 2.2.4 Extent of compromise................................: 2.2.5 Damage or loss of information?......................: 2.2.6 Apparent source (IP address) of the intrusion/attack: 2.3 Threat/Harassment Information 2.3.1 Date/Time of incident................................: 2.3.2 Nature of threat/harassment..........................: 2.3.3 How was the offense carried out (e.g., E-mail, Chat)?: 2.3.4 Have physical damages or injuries occurred?..........: 2.3.5 Do you have e-mail headers or logs from the incident?: 2.3.6 Apparent source (IP address) of the threat/harassment: 3. Other Information 3.1 What actions or technical measures have been taken? 3.2 Have you notified law enforcement or another agency? ------------------------------------- This form may be reproduced and distributed without permission provided it is used for non-commercial purposes and MOREnet is acknowledged. Contacting Sites Involved We ask that reporting sites contact other sites involved in incident activity. Please let us know if you need assistance in obtaining contact information for the site(s) involved. When contacting other sites, we would very much appreciate a cc to: security@more.net This helps us identify connections between incidents and understand the scope of intruder activity. We also appreciate your including the MOREnet incident number in the subject line of any correspondence relating to this incident if one has been assigned (see item 1.1). If you are unable to contact the involved sites, please get in touch with us to discuss how we can assist you.