Re: Publishing Nimda Logs

[Ron DuFresne <dufresne () winternet com>]

I've also pretty much given up on trying to clue folks to nimda issues
they still have, same with code red variants which are still plentiful.
I've started to blackhole whol IP blocks due to this problem.  Some
companies, even when notified of their systems compromise and their
being used to further attack other systems don't even take the time to
either investigate, nor repair such systems.  We've taken to having to
block the whole netspace for many sites, such as the City of Ashland in
Oregon, (NETBLK-SPRINT-D00150-2) SPRINT-D00150-2 208.1.80.0 -
208.1.83.255, whose systems are so infested with code-red and nimda
variants and who fail as well as Sprint, their upstream provider, in
taking any action about their systems attacks on others on the Internet
infamous highway.   We tried to actually call and talk to their techs and
were rudely hung up on, this after over 6 months of notifications to them
and their upstream ISP Sprint.  Although Jose Nazario does mention these
systems can be 0w3d after a publication of IP's of infected systems, I'm
at this point not caring if they get taken.  They are a pain and further
spreading their problem as it is.  I suspect many of these systems are at
least partially 0w3d and used as DDOS mechanisms already.  The hame of
shame list should include the ISP's in question too, the upstreams have
been notified as well as the direct offender, most many times over many
months.  Nothing else has worked...

Thanks,

Ron DuFresne


On Tue, 7 May 2002, Chip McClure wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I vote for option #1.
>
> I've gone pretty much the same route as you have, and I might as well have
> been talking to a wall. Notified ISP's, and where possible, the
> individuals themselves - nothing has been done about it. I still get quite
> a number of Nimda probes per day, not only on my home system, but also
> that of my data center servers. It gets highly annoying, to see that
> people, and also corporations do not patch their systems. Whether this is
> through ignorance, or lack of knowledge - they have to be held accountable
> for their actions. Enough warnings by 90% of the ISP's, Microsoft, and
> numerous others, on how to disable IIS, patch it or do whatever. The
> knowledge, and ability is definitley there to take care of the problem.
>
> Chip
>
> - -----
> Chip McClure
> Sr. Unix Administrator
> GigGuardian, Inc.
>
> http://www.gigguardian.com/
> - -----
>
> On Tue, 7 May 2002, Deus, Attonbitus wrote:
>
> >   It is truly sad that so many people are still infected with Nimda. There
> >   is a company with my corporate ISP that I have notified 3 times now that
> >   they are attacking other systems. It seems they can't figure out how not
> >   to install Win2k/IIS5.0 while connected to the net. The sad thing is that
> >   this is a computer company.
> >
> >   I have seen a site where people have published the IP of the offending
> >   boxes for stuff like Nimda and CR. I am thinking about doing the same
> >   thing so that people can either use that information to block the IP's or
> >   to do whatever they want for that matter.
> >
> >   I'm curious to see how other feel about this. Is it:
> >
> >   1) Recommended. Go for it and publish the IP's and let the "Gods of IP"
> >   sort out the damage.
> >   2) A Bad Thing. These are innocent victims, and you will just have them be
> >   attacked by evil people.
> >   3) Boring. Who cares? It's Nimda, and an everyday part of life. Deal with
> >   it and ignore the logs.
> >
> >   If "1," then I was thinking of going with a "Hall of Shame" and providing
> >   ARIN look ups, contacts, and the whole bit. I could even allow other
> >   people to post logs there and stuff like that...
> >
> >   Input appreciated.
> >
> >   AD
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 6.5.8
> Comment: Made with pgp4pine 1.76
>
> iQA/AwUBPNgLTJuKtP8CSC69EQK3iACfdq4BP2OVZeuyqIKgcF1xkgff92oAoIdc
> XtZOObYa8BuKLa8IESKM0+oW
> =spj0
> -----END PGP SIGNATURE-----

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.