The portion of the mail that starts out "Greetings" is what we originally sent to him.

From: "Peyton T. Collie" (pcollie@lore.net)
To: "'hacked[at]attrition.org '" (hacked[at]attrition.org)
Date: Mon, 30 Apr 2001 16:49:21 -0400
Subject: RE: Urgent! Security incident on your machine! www.webmajestics.c om

Greetings?

Your firm illegally hacked and damaged our servers, costing our clients
money.  We are seeking legal action and you have been reported to all major
players in the security, legal and governmental arenas.  In addition we are
filing complaints with the BBB, and any and all legal related firms to
notify them of your activities! 

We do not take this lightly!




Greetings.

You are being contacted because you are listed as an Internic
contact for the domain referred to.

Attrition.org is a non-profit, hobby web site that monitors 
computer crime on the internet. In the past few minutes, we 
have been notified that your domain was hacked, and your web 
page defaced. This means that the intruder has edited your 
web page in some way. Due to this, it is quite likely that 
one or all of the machines on your network are compromised. 
You may wish to take immediate action to correct this problem 
and respond to the intrusion.

One of the free services attrition.org offers is mirroring defaced
pages to aid in statistics on computer crime. The various archives
of information we maintain is used by security professionals and 
law enforcement every day.  We comply with all law enforcement 
subpoenas for information related to the intrusion; however, for 
the purposes of fairness in reporting, we do not reveal the 
identities of defacers other than as shown on the defaced web page.

Attrition offers free security advice and assistance to sites 
experiencing trouble.  We can also recommend unaffiliated security 
companies should you feel the need for more extensive analysis; 
please mail staff[at]attrition.org, and we'll be happy to help.
We are not a security company and have no product or service to
sell.

We'd also like to assure you that we had no advanced knowledge
of the intrusion. Any reference to attrition.org in your logs
is due to our mirroring utility. Any greeting or reference to
Attrition on the actual web page is beyond our control. You are
one of over three thousand administrators we have contacted in
this manner.

Attrition has already notified the appropriate CERT teams that
would be interested in this incident. Despite this, you should
still contact the appropriate CERT with followup information.
They can provide recommendations for recovering and dealing with
this incident.

If you receive any additional mail from a security company or
vendor, we'd like to state up front that we are in no way 
affiliated with them. We have found out that some security
companies prey on victims of web defacement to solicit their
products or services. If you receive such mail, please forward
the full text with headers to us so that we can confront them.

Please feel free to mail us if you have any questions or would 
like assistance.

For more on security and incident response:
	http://ciac.llnl.gov

For more on computer forensics and preservation of evidence:
	http://www.forensics-intl.com/info.html
	http://www.nwo.net/null/recovery.html

For the latest on vulnerabilities and good security practice:
	http://www.securityfocus.com

Hardening WindowsNT4
	http://www.networkcommand.com/NTSEC/paranoid.html

Contacting Law Enforcement
	http://www.fbi.gov/contact/fo/fo.htm

The Attrition Mirror:  
	http://www.attrition.org/mirror/

Security Advisory Archive:  
	http://www.attrition.org/security/advisory/

For the latest on computer crime and news:
	http://www.hackernews.com/

Contacting us:  
	staff[at]attrition.org


main page ATTRITION feedback