Vulnerability Development mailing list archives
Re: Publishing Nimda Logs
From: H C <keydet89 () yahoo com>
Date: Tue, 7 May 2002 11:15:34 -0700 (PDT)
Tim, Between you, me, and the fence post...
1) Recommended. Go for it and publish the IP's and let the "Gods of IP" sort out the damage. 2) A Bad Thing. These are innocent victims, and you will just have them be attacked by evil people. 3) Boring. Who cares? It's Nimda, and an everyday part of life. Deal with it and ignore the logs. If "1," then I was thinking of going with a "Hall of Shame" and providing ARIN look ups, contacts, and the whole bit. I could even allow other people to post logs there and stuff like that...
I'll put in my vote for 3. I don't think that 2 applies...clueless victim, yes, but innocent...no. I think a lot of people are confused that if they follow on method of installing patch rollups, they won't necessarily get the dir transversal patch. Things like posting this info, along with the ARIN info, will lead to problems. Not only is it going to be work intensive, but how do you propose verifying the info? What's to prevent someone from forging logs showing their competitor having Nimda, and then having a large portion of the folks who monitor your site arbitrarily block those IPs? Remember what the Attrition guys talked about at last year's Blackhat? They thought they were providing a service, and things changed as they progressed. If one particular IP is being a problem, let them know. I did that recently...found out that the system in question was the admin's workstation. I have no idea why the admin is running IIS, or allowing an infected system (he knew he had Nimda) to remain connected to the Net for so long...but the scans weren't successful, and didn't consume enormous amounts of bandwidth. Of course, some have put forth the idea of hacking into the box and shutting it down yourself...something I don't recommend. __________________________________________________ Do You Yahoo!? Yahoo! Health - your guide to health and wellness http://health.yahoo.com
Current thread:
- Publishing Nimda Logs Deus, Attonbitus (May 07)
- Re: Publishing Nimda Logs H C (May 07)
- Re: Publishing Nimda Logs Matthew McGehrin (May 07)
- Re: Publishing Nimda Logs Luis Pinto (May 07)
- Re: Publishing Nimda Logs RSnake (May 07)
- Re: Publishing Nimda Logs Blue Boar (May 07)
- Re: Publishing Nimda Logs zeno (May 07)
- Re: Publishing Nimda Logs unprivileged user (May 07)
- RE: Publishing Nimda Logs Paul_Asadoorian (May 07)
- Re: Publishing Nimda Logs RSnake (May 07)
- RE: Publishing Nimda Logs Matt Andreko (May 07)
- Re: Publishing Nimda Logs Johannes B. Ullrich (May 07)
- Re: Publishing Nimda Logs Blue Boar (May 07)
- Re: Publishing Nimda Logs H C (May 07)