v2.9 - 12/07/2004 - RIPE redirect stopped working due to arin result changing. Fixed. v2.8 - 09/04/2003 - RIPE redirects stopped working due to bad arin_redirects regexp. Fixed. v2.7 - 06/01/2003 - Fixed bug when processing ARIN output with multiple parentheses such as 65.93.92.49 (Thanks to Niklas Blomdalen ) - whois.educause.net errors are now detected - Whois output such as 'Registrant Email:not@available.org' was incorrectly determining 'Email:not@available.org' to be the email address. Fixed. - Redirects from whois.publicinterestregistry.net are now handled properly v2.6 - 05/21/2003 - ARIN netblock redirects stopped working due to format change from whois.arin.net. Fixed. v2.5 - 03/14/2003 - Batch mode stopped processing after no contacts found for one entry, fixed. (Thanks to Shane Hickey ) v2.4 - 12/20/2002 - trouble: emails from whois now take priority over others (Suggested by Shane Hickey ) v2.3 - 8/24/2002 - Show number of matching log lines when showing excerpt. (Suggested by Shane Hickey ) - Fixed bug that processed FQDNs like 18.244.95.24.cfl.rr.com as IPs. (Thanks to Glen Stewart ) v2.2 - 06/01/2002 - Added whois.abuse.net querying and option to make emails returned from abuse.net take priority over emails retrieved through other means. See $ABUSE_NET_PRI in config. (Suggested by Shane Hickey ) - Option '-r' to not ignore 'Received:' lines in input v2.1 - 04/14/2002 - Ignore lines that begin with 'Received:'. Useful when piping mail to script. - Ignore some local nets when looking for IPs (127.0, 192.168) - Option to ignore IPs that syslogs appear to be from ($IGNORE_SYSLOG_IPS) - Implemented batch mode (-b) for non-interactive usage (see README) - All IPs in the input line are now examined instead of only the first one. Set $OLD_SUSPECT_LOOKUP = 1 to revert back to old behavior. - Timezone is figured out if $TIMEZONE_STR is not defined. Note you may need to replace your current incident.pl.cfg with the new one. - Try to intelligently parse stupid reverse resolutions like: unused.volcomnet.com.236.165.209.in-addr.arpa - Added arin.net, iana.org, and in-addr.arpa to ignored domains v2.0 - 11/13/2001 - rwhois.arin.net is overloaded or unresponsive too often, switched back to WHOIS with fallback to RWHOIS for IP lookups v1.9 - 11/11/2001 - Fixed bug that would cause segfault if whois continually failed - Fixed bug when using -a or -A options description would be asked for only once - Fixed bug that failed to handle RWHOIS server problems - Minor code cleanups v1.8 - 10/14/2001 - Now using RWHOIS for ARIN IP lookups (rwhois.arin.net). Referrals are not currently followed since there appears to be errors in some (e.g. 131.174.116.58 has wrong referral). However I think this speeds initial lookups quite a bit and many times requires one less query to ARIN - New options -a and -A to process all IPs in input - Fixed bug where a query could be repeated if the host has a different upper/lower case - Better handling of rwhois timeouts and retries - New configuration vars: $WHOIS_FORMAT (to specify how your whois binary is called) $RWHOIS_TIMEOUT, $RWHOIS_NUM_TRIES, $RWHOIS_RETRY_INTERVAL - Parsing of whois.nic.ad.jp did not detect 'no matches', fixed - Some Korean registrars appended ---- to email contacts, these are now cleaned - Some Chinese registrars have host information registered, now ignoring these to get domains instead - If a subdomain has a MX record, but the domain that returns successful whois info does not, the former is given more weight as being the true domain - More checks on valid whois server responses - Try to handle problems with domain queries to whois.aunic.net (example bigpond.net.au is really registered in whois.connect.com.au, but this is difficult to determine) - Added telstra.net and connect.com.au to ignored domains - New data structure $arin_redirects to take care of redirects to other whois servers - More restrictive IP searching for suspects (e.g. don't match something like 1234.4214.1111.0) v1.7 - 10/06/2001 - Added 2 AU whois servers (whois.telstra.net, whois.connect.com.au) (Suggested by John McInnes ) - Ignore 'changed:' lines in whois output when determining email contacts and other mails are found (Suggested by Dirk Praet ) - MX lookups now made before RWHOIS to find likely domain faster - Removal of some redundant code - Assumption of domain based on email contact was not really 'first' email, fixed - Better handling of whois timeouts and retries - New configuration vars: $WHOIS_TIMEOUT, $WHOIS_NUM_TRIES, $WHOIS_RETRY_INTERVAL - Better recognition of some whois server errors (but still bad) v1.6 - 09/08/2001 - Added Japanese (whois.nic.ad.jp) registrar querying - Now using Rwhois protocol for domain querying. No longer querying allwhois.com NOTE: Net-Rwhois perl module is required (included in distribution) - Changed to getopt for argument processing - Added -H option to disable host probe (Suggested by John McInnes ) - Added -h option to show usage - Added some intelligence to not re-query domains that already have been queried - More intelligent handling of unresolvable IPs by looking for MX records - Changes to README and inclusion of GPL license v1.5 - 08/12/2001 - Added dns.br, ripe.net, nic.br, registro.br, krnic.net to ignored domains - Fixed problem where in-addr.arpa would sometimes be processed as a valid domain - Added Korean (whois.nic.or.kr) and Brazil (whois.registro.br) registrar querying - Added -x option to just perform contact gathering for a domain/IP argument - When using -x, a domain/hostname can be specified that does not resolve to an IP. In these cases, an MX lookup to find an IP for ARIN querying. - Better handling of errors from whois (but still bad) - Other minor bugfixes v1.4 - 06/16/2001 - Show an excerpt (5 lines) of logs when asked to provide description - More cleanups on SIGINT (ctrl-c) - Report domain dir is 'touched' to sort directory listings by latest attack - Fixed bug when determining email contacts that would not include addresses such as czan@81890.net - More intelligent handling of non-US unresolvable IPs to avoid mailing NIC registrars and to make a better assumption on the true domain of attacker - Added configurable list of domains to ignore (such as registrars) - Added X-Sender: incident.pl mail header (for avoiding loops) v1.3 - 05/10/2001 - Fixed some output formatting after http and finger probes - SIGINT (ctrl-c) will do some cleanup before dying - Stricter parsing of subject when doing email followup - Show whether XWD failed or succeeded - Added an example email that is sent: example_email.txt - Added "security@" and "noc@" to emails that are notified Suggested by Matt Fearnow - smbclient should now just be in PATH and removed from configuration - Configuration can be specified in a configuration file v1.2 - 03/31/2001 - Added email followup processing and storage - Argument given for isolating logs can be of any format now - Initial TCP read timeout can be set for ports that take awhile to send the hello string (such as SMTP) - HTTP probe added to GET / if attacker is running a web server v1.1 - 03/21/2001 - Added a SENT_TO_FILE to log who reports are sent to - Removed nonstandard characters from email addresses v1.0 - 03/03/2001 - Initial release