Notification for unauthorized access

You are reading this page as we have detected unauthorized access to our monitoring system (honeypot) and we believe it is related to you.
This is a part of research experiment for effective notification. It would be great if you could help our study by answering the following questions.

Q1. Do you think you are relevant parties of the IP addresses, which are mentioned in our notification message, that we have observed unauthorized access from? Relevant NOT relevant Don't know Q2. Do you want to receive notification from us if we observe more unauthorized access from this IP address in the future? Yes No

Contents

1. Overview
2. Experiments
   • Target of Notification
   • Obtainment of Contact Points
   • Notification

Overview

With the increase of devices connected to the Internet, the threats caused by cyberattacks are increasing. Besides observation and analysis of these attacks, notification to the affected users is becoming increasingly important. The most common way to identify the contact point for notification is using WHOIS, a service that allows any Internet user to view information about the domain registrant or the organization to whom an IP address is assigned. However, direct contact points may be hidden from the viewpoint of privacy or simply the data is outdated. In this research, we investigate how to enrich contact information for given IP addresses to be notified.

Experiments

Target of Notification

We try to notify relevant parties of the IP addresses that our honeypot detected unauthorized access from.

Obtainment of Contact Points

We obtain contact points in the following 5 ways.

• IP address based
• IP-WHOIS

We search the target IP address in the WHOIS database and obtain contact Email addresses.

• IP-Web

We access "http://<Target IP address>/" and contact page of the website with Google Chrome automatically, and extract Email addresses and links to social media account from these pages. Also we use web contact forms if it's included in contact page.

• Domain based

We obtain domains that correspond to the observed IP address from passive DNS Database (https://www.dnsdb.info/), and use the domains as the target of notification.

• Domain-WHOIS

We search the domain in the WHOIS database and obtain contact Email addresses.

• Domain-Web

We access "http://<Host Name including Target Domain>/" and contact page of the website with Google Chrome automatically, and extract Email addresses and links to social media account from these pages. Also we use web contact forms if it's included in contact page.

• Domain-MDB

We search the domain in the Email address database (https://hunter.io/search) and obtain corresponding Email addresses.

Notification

To evaluate the effectiveness of the security notification, we send notification message to these contact points from following contacts:

• Email address:    ynugr-notify [at] ynu.ac.jp
• Twitter account:  @YNUYoshiokaLab (https://twitter.com/YNUYoshiokaLab)

We notify the relevant parties of the IP addresses that attempted to login to our honeypot several times. We understand that some of you may have scanned our honeypot for no intrusive purposes, but the honeypot treated the scan as login attempt. If you are not aware of the access to us, your host may be infected with malware. We can provide more information upon request. Thank you for your cooperation.