Re: Publishing Nimda Logs

[John Kristoff <jtk () aharp is-net depaul edu>]

On Tue, May 07, 2002 at 09:56:28AM -0700, Deus, Attonbitus wrote:
>   I have seen a site where people have published the IP of the offending
>   boxes for stuff like Nimda and CR. I am thinking about doing the same
>   thing so that people can either use that information to block the IP's or
>   to do whatever they want for that matter.

Since I was one who published a list of over ten thousand hosts infected
with Code Red last summer to this list and others, I can give you some
insight.

Before I posted the list, I asked a few people if I should and only
a couple said I shouldn't.  However, after I posted it, no one sent me
any hate mail.  The emails I did receive were more of the "oh, geez,
thanks, I'll fix those right away!" type.  I think for some, they
wouldn't have known about them unless some published the list.  For
others they may have simply missed them in their own logs or intrusion
detection reports, but they pay attention to lists like this.  Others,
well as you say, they go up on the wall of shame.

Those who don't fix them are only slightly worse off with your
published list.  Anyone with a web server can sit back and collect
the same logs you're getting.  Based on my experience, I'd say go
for it.  ...and I'll thank you in advance if you help my organization
in finding a infected host on our network that we may have missed.

John

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com