Security Incidents mailing list archives

Re: Publishing Nimda Logs

From: "Rainer Duffner" <rainer () ultra-secure de>
Date: Wed, 08 May 2002 08:28:40 +0000

Deus, Attonbitus writes:

It is truly sad that so many people are still infected with Nimda.There is a company with my corporate ISP that I have notified 3 timesnow that they are attacking other systems. It seems they can't figureout how not to install Win2k/IIS5.0 while connected to the net.

That's hardly news, I'm afraid ;-)

thing so that people can either use that information to block the IP'sor to do whatever they want for that matter.


The problem lies in the "whatever they want".
See this CNET-article http://news.com.com/2100-1001-899245.html

on the subject of "open" servers.

I'm curious to see how other feel about this. Is it:
  1) Recommended. Go for it and publish the IP's and let the "Gods of IP"
     sort out the damage.
2) A Bad Thing. These are innocent victims, and you will just have thembe attacked by evil people.3) Boring. Who cares? It's Nimda, and an everyday part of life. Dealwith it and ignore the logs.

If you have Apache et.al. No3 is the best option. ;-)Everything else, like building lists of vulnerable IPs can either beconsidered a "hobby" or will help script-kiddies and IRC-weenies buildan army of zombies in the medium term.

ARIN (+RIPE + APNIC + ...) information isn't very reliable anyway.
There have been several threads about this.

And if you've complained to SPAM before, you may already know this.As you mentioned, the company didn't really act on your complaints.If you really feel so bad about their network vs. your network, thanblackhole them.



cheers,
Rainer
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rainer Duffner                   Munich
rainer () ultra-secure de          Germany
http://www.i-duffner.de        Freising
========================================
   When shall we three meet again
 In thunder, lightning, or in rain?

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.

For more information on this free incident handling, managementand tracking system please see: http://aris.securityfocus.com

Current thread:

Publishing Nimda Logs Deus, Attonbitus (May 07)
- Re: Publishing Nimda Logs Hugo van der Kooij (May 08)
- Re: Publishing Nimda Logs Glenn Forbes Fleming Larratt (May 08)
- Re: Publishing Nimda Logs Rainer Duffner (May 08)
  - Re: Publishing Nimda Logs Mally Mclane (May 08)
    - RE: Publishing Nimda Logs Steve Zenone (May 08)
- Re: Publishing Nimda Logs E (May 08)
  - RE: Publishing Nimda Logs Benjamin Tomhave (May 08)
- Re: Publishing Nimda Logs John Kristoff (May 08)
- Re: Publishing Nimda Logs jlewis (May 08)
- <Possible follow-ups>
- Re: Publishing Nimda Logs Thomas Frerichs (May 08)
- Re: Publishing Nimda Logs Justin Shore (May 08)
  - Re: Publishing Nimda Logs Mally Mclane (May 08)
- Re: Publishing Nimda Logs Richard . Smith (May 08)

(Thread continues...)