Re: Publishing Nimda Logs

["Matthew McGehrin" <mcgehrin () reverse net>]

1. If its getting out of hand, run Earlybird. It will automatically E-mail
both Abuse and Arin Contacts for any IP that it detects.

http://www.treachery.net/~jdyson/earlybird/

2. If you don't mind all the attacks, just setup a simple filter in apache
to ignore them. I do the following:

CustomLog /var/www/logs/access_log combined env=!trash
SetEnvIf Request_URI /scripts                   trash
SetEnvIf Request_URI /default.*                 trash
SetEnvIf Request_URI /*/winnt                   trash
SetEnvIf Request_URI /*/*.dll                   trash
SetEnvIfNoCase Request_URI /msadc               trash

Then for virtuals its the same thing.

<VirtualHost 1.2.3.4>
        CustomLog       /home/username/website-access_log combined
env=!trash
</VirtualHost>

That way it doesn't clog my weblogs with 'trash' :)

-- Matthew





----- Original Message -----
From: "H C" <keydet89 () yahoo com>
To: "Deus, Attonbitus" <Thor () HammerofGod com>
Cc: <vuln-dev () securityfocus com>
Sent: Tuesday, May 07, 2002 2:15 PM
Subject: Re: Publishing Nimda Logs


> Tim,
>
> Between you, me, and the fence post...
>
> >   1) Recommended. Go for it and publish the IP's and
> > let the "Gods of IP"
> >   sort out the damage.
> >   2) A Bad Thing. These are innocent victims, and
> > you will just have them be
> >   attacked by evil people.
> >   3) Boring. Who cares? It's Nimda, and an everyday
> > part of life. Deal with
> >   it and ignore the logs.
> >
> >   If "1," then I was thinking of going with a "Hall
> > of Shame" and providing
> >   ARIN look ups, contacts, and the whole bit. I
> > could even allow other
> >   people to post logs there and stuff like that...
>
> I'll put in my vote for 3.
>
> I don't think that 2 applies...clueless victim, yes,
> but innocent...no.  I think a lot of people are
> confused that if they follow on method of installing
> patch rollups, they won't necessarily get the dir
> transversal patch.
>
> Things like posting this info, along with the ARIN
> info, will lead to problems.  Not only is it going to
> be work intensive, but how do you propose verifying
> the info?  What's to prevent someone from forging logs
> showing their competitor having Nimda, and then having
> a large portion of the folks who monitor your site
> arbitrarily block those IPs?
>
> Remember what the Attrition guys talked about at last
> year's Blackhat?  They thought they were providing a
> service, and things changed as they progressed.
>
> If one particular IP is being a problem, let them
> know.  I did that recently...found out that the system
> in question was the admin's workstation.  I have no
> idea why the admin is running IIS, or allowing an
> infected system (he knew he had Nimda) to remain
> connected to the Net for so long...but the scans
> weren't successful, and didn't consume enormous
> amounts of bandwidth.
>
> Of course, some have put forth the idea of hacking
> into the box and shutting it down yourself...something
> I don't recommend.
>
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Health - your guide to health and wellness
> http://health.yahoo.com