Re: Publishing Nimda Logs

[Hugo van der Kooij <hvdkooij () vanderkooij org>]

On Tue, 7 May 2002, Deus, Attonbitus wrote:

>   It is truly sad that so many people are still infected with Nimda. There
>   is a company with my corporate ISP that I have notified 3 times now that
>   they are attacking other systems. It seems they can't figure out how not
>   to install Win2k/IIS5.0 while connected to the net. The sad thing is that
>   this is a computer company.

Send a formal complaint to the ISP. It's their responsability as well as 
soon as you send a formal complaint. Send a formal complaint by 
snailmail to that company. Let them sign for receipt.

Include logging and such and charge them with:
 - harrasment.
 - improper usage of you computer facilities.
.....

>   I have seen a site where people have published the IP of the offending
>   boxes for stuff like Nimda and CR. I am thinking about doing the same
>   thing so that people can either use that information to block the IP's or
>   to do whatever they want for that matter.

I display all seen nimda cases for several months now. 
(http://hvdkooij.xs4all.nl/logging.cms)

I als run earlybird so the owner of the IP block that has an offending 
machine gets one warning per day informing them of their problem.

I am under the impression that it has some impact. (Now ISP's and so will 
learn about infections within a minute after a machine in their netblock 
starts harrassing me.)

Hugo.

-- 
All email send to me is bound to the rules described on my homepage.
    hvdkooij () vanderkooij org         http://hvdkooij.xs4all.nl/
            Don't meddle in the affairs of sysadmins,
            for they are subtle and quick to anger.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com