Vulnerability Development mailing list archives

RE: Publishing Nimda Logs

From: "Andy Wood" <network.design () cox net>
Date: Wed, 8 May 2002 07:53:26 -0400

        It's not surprising either that almost 50% of those listed have
NetBIOS (TCP 139) open.

-----Original Message-----
From: Eli K. Breen [mailto:eli () gopostal ca] 
Sent: Tuesday, May 07, 2002 4:48 PM
To: Deus, Attonbitus
Cc: vuln-dev () securityfocus com
Subject: RE: Publishing Nimda Logs

I've been tracking nimda attacks and IPs with a tiny PERL script.
Results are at http://www.sectornotfound.com/files/NIMDA.stats (since
Sept. 18th
2001)

-Eli

-----Original Message-----
From: Deus, Attonbitus [mailto:Thor () HammerofGod com]
Sent: Tuesday, May 07, 2002 9:55 AM
To: vuln-dev () securityfocus com
Subject: Publishing Nimda Logs

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

  It is truly sad that so many people are still infected with Nimda.
There
  is a company with my corporate ISP that I have notified 3 times now
that
  they are attacking other systems. It seems they can't figure out how
not
  to install Win2k/IIS5.0 while connected to the net. The sad thing is
that
  this is a computer company.

  I have seen a site where people have published the IP of the offending
  boxes for stuff like Nimda and CR. I am thinking about doing the same
  thing so that people can either use that information to block the IP's
or
  to do whatever they want for that matter.

  I'm curious to see how other feel about this. Is it:

  1) Recommended. Go for it and publish the IP's and let the "Gods of
IP"
  sort out the damage.
  2) A Bad Thing. These are innocent victims, and you will just have
them be
  attacked by evil people.
  3) Boring. Who cares? It's Nimda, and an everyday part of life. Deal
with
  it and ignore the logs.

  If "1," then I was thinking of going with a "Hall of Shame" and
providing
  ARIN look ups, contacts, and the whole bit. I could even allow other
  people to post logs there and stuff like that...

  Input appreciated.

  AD

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQA/AwUBPNgG94hsmyD15h5gEQI+igCg3plbeP+TLJcr71MfzkvHI+/t/dsAn2ve
83gug5UTKCYW+x4ZwNDPSTEE
=P0lX
-----END PGP SIGNATURE-----

---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.351 / Virus Database: 197 - Release Date: 4/19/2002

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.351 / Virus Database: 197 - Release Date: 4/19/2002

Current thread:

Re: Publishing Nimda Logs, (continued)
- - - Re: Publishing Nimda Logs Blue Boar (May 07)
    - Re: Publishing Nimda Logs Bernie Cosell (May 07)
    - Re: Publishing Nimda Logs Erik Fichtner (May 07)
- Re: Publishing Nimda Logs Jose Nazario (May 07)
- Re: Publishing Nimda Logs Chip McClure (May 07)
  - Re: Publishing Nimda Logs Ron DuFresne (May 07)
- Re: Publishing Nimda Logs hellNbak (May 07)
- Re: Publishing Nimda Logs Jonathan Bloomquist (May 07)
  - Re: Publishing Nimda Logs Lincoln Yeoh (May 08)
- RE: Publishing Nimda Logs Eli K. Breen (May 07)
  - RE: Publishing Nimda Logs Andy Wood (May 08)
    - Re: Publishing Nimda Logs Nick Lange (May 08)
- Re: Publishing Nimda Logs warchild (May 07)
- Re: Publishing Nimda Logs Boyd Lynn Gerber (May 08)
- Re: Publishing Nimda Logs mlafon (May 07)
- RE: Publishing Nimda Logs Silcock, Stephen (May 07)
- RE: Publishing Nimda Logs brossini (May 08)
  - RE: Publishing Nimda Logs Andy Wood (May 08)
  - RE: Publishing Nimda Logs Jose Nazario (May 08)
  - Re: Publishing Nimda Logs Clinton Smith (May 08)
- RE: Publishing Nimda Logs Alexander Sarras (ABG) (May 08)

(Thread continues...)