Re: Publishing Nimda Logs

[H C <keydet89 () yahoo com>]

Tim,

Between you, me, and the fence post...

>   1) Recommended. Go for it and publish the IP's and
> let the "Gods of IP"
>   sort out the damage.
>   2) A Bad Thing. These are innocent victims, and
> you will just have them be
>   attacked by evil people.
>   3) Boring. Who cares? It's Nimda, and an everyday
> part of life. Deal with
>   it and ignore the logs.
>
>   If "1," then I was thinking of going with a "Hall
> of Shame" and providing
>   ARIN look ups, contacts, and the whole bit. I
> could even allow other
>   people to post logs there and stuff like that...

I'll put in my vote for 3.  

I don't think that 2 applies...clueless victim, yes,
but innocent...no.  I think a lot of people are
confused that if they follow on method of installing
patch rollups, they won't necessarily get the dir
transversal patch.  

Things like posting this info, along with the ARIN
info, will lead to problems.  Not only is it going to
be work intensive, but how do you propose verifying
the info?  What's to prevent someone from forging logs
showing their competitor having Nimda, and then having
a large portion of the folks who monitor your site
arbitrarily block those IPs?

Remember what the Attrition guys talked about at last
year's Blackhat?  They thought they were providing a
service, and things changed as they progressed.

If one particular IP is being a problem, let them
know.  I did that recently...found out that the system
in question was the admin's workstation.  I have no
idea why the admin is running IIS, or allowing an
infected system (he knew he had Nimda) to remain
connected to the Net for so long...but the scans
weren't successful, and didn't consume enormous
amounts of bandwidth.

Of course, some have put forth the idea of hacking
into the box and shutting it down yourself...something
I don't recommend.


__________________________________________________
Do You Yahoo!?
Yahoo! Health - your guide to health and wellness
http://health.yahoo.com