Dear Network Admin at B-Line Technical Services,

It has come to our attention that someone from a host ( IP address 207.35.251.172) under your management has launched an attempt to compromise one of our server at 192.168.1.102.

As recorded by our intrusion detection system, we have recorded an attack launched from this host against the FTP service of our server at 19:52:51 of September-16, 2001. Now, we do not believe this is done with your knowledge, but we are concerned that you are also a victim of this cracker's act. Please double check your user database on this host to ensure no authorized accounts were created, and please ensure you do not have any un-authorized services listening on port 24 and/or port 6666 of this host.

The tool used by this cracker is one commonly known as t0rnkit, and this is what was documented about this tools:

For a detail discussion of this t0rnkit and/or the possible method for which your host might have been compromised, please refered to CERT Incident Note IN-2000-10 @ http://www.cert.org/incident_notes/IN-2000-10.html.

Please feel free to contact me if you should require further information about how to remove the backdoor this cracker has left behind. For the time being, please remove the un-authorized user accounts from this host and patch it with the latest patches that is available to your system.

Yours truly,