Re: Publishing Nimda Logs

[RSnake <rsnake () shocking com>]

| >   I have seen a site where people have published the IP of the offending
| >   boxes for stuff like Nimda and CR. I am thinking about doing the same
| >   thing so that people can either use that information to block the IP's or
| >   to do whatever they want for that matter.
| >
| >   I'm curious to see how other feel about this. Is it:
| >
| >   1) Recommended. Go for it and publish the IP's and let the "Gods of IP"
| >   sort out the damage.
|
|       Yep. Go ahead. Anything that happens to these suckers who had
| months and months to think about it and reinstall it some 150 times in a
| row deserve any bad publicity they can get. And the old adage "there's no
| such thing as bad advertising" is not allways true.

        This is a terrible idea.  This isn't advertizing, it is creating an
easy report to generate the largest denial of service platform the world has
ever seen.  There is nothing stopping me from using said scan to upload a
"patch" to those servers and block access to others but retrain control myself.
How does that solve anything?  If telling them isn't working, tell their
upstream.  Get it patched, don't advertize the attacks to the world.  I
shouldn't have to tell the people on this list why publishing information that
might aid in breaking into national infrastructure could be construed as a very
bad thing to some congressman.  My vote is a huge no.  This has already been
discussed amongst some very large companies in Silicon Valley, and the
concensus was it is causing way more harm than good by publishing that
information.

| >   2) A Bad Thing. These are innocent victims, and you will just have them be
| >   attacked by evil people.
|
|       People with infected servers will almost certainly be warned, if
| not lots of times, at least once. So, as long as they are sitting ducks
| ignoring people's warnings, they are the evil people. We, that have to
| bear with their atacks are the innocent victims.

        I am not ashamed to say I was infected by a virus, and I was not warned
by anyone.  I eventually did a netstat in cygwin and found it myself.  This is
a bad assumption.

| >   3) Boring. Who cares? It's Nimda, and an everyday part of life. Deal with
| >   it and ignore the logs.
|
|       So is muggling, robbing and raping. But we dont have to ignore it.

        Agreed, let's not ignore it.  Inform ISPs and individuals that are
affected.  Don't publish it to the world.  This isn't like the open source
movement publishing a vulnerability.  We are talking about individual and
corporate security.

| >   If "1," then I was thinking of going with a "Hall of Shame" and providing
| >   ARIN look ups, contacts, and the whole bit. I could even allow other
| >   people to post logs there and stuff like that...
|
|       Great idea. If i can help in any way...

        I can't stress more what a bad idea this is.

RRrRRRr. | RSnake at shocking dot com                     0x7A69
RR'  `RR | EHAP Founder / WebFringe.com Founder
RR       | He who made kittens put snakes in the grass.
RR       | DSS:5923 76D7 0EC2 4553 7195 442B 8596 4849 2AA6 1F64

The information in this email is confidential and may be legally
privileged.  It is intended solely for the addressee.  Access to
this email by anyone else is unauthorized.  If you are not the
intended recipient, any disclosure, copying, distribution or any
action taken or omitted to be taken in reliance on it is
expressly prohibited and may be unlawful.