Re: Publishing Nimda Logs

[Erik Fichtner <techs () obfuscation org>]

On Tue, May 07, 2002 at 12:53:13PM -0700, RSnake wrote:
> If telling them isn't working, tell their upstream.  
> Get it patched, don't advertize the attacks to the world.  

Obviously you haven't been reporting much in the way of Nimda scanning.

Most upstreams don't care.  





I'd have to vote for not publishing the list of machines.   Go with 
something like Earlybird. (though, please, for the love of all things
holy, don't use something that sends an email *every damn time*
cmd.exe is attempted.. That's impolite.) 

If they don't fix it by the third time you see them, blackhole the IP 
forever.

It's really a shame we can't BGP RBL [1] all these /32's out of existence 
without completely collapsing BGP in the process. :/    There really
needs to be some kind of global-Internet-death-penalty for hosts with
systemic, long-term security problems caused by admins that can't or
won't care otherwise.  (though, if you ask me, any netblock with an
unresponsive administration staff should be completely blackholed. 
Just dump the AS on the floor until they get a clue *and keep it*.
It's acceptable to have security problems these days, everyone has one
eventually, but systemic problems caused by ISPs that are unwilling
to step up and put an end to their security problems on a per-customer 
basis should not be allowed to route. period.  okay.  End rant. )


[1] or other actually technically feasable process, whatever it may be.

-- 
                        Erik Fichtner; Unix Ronin
                    http://www.obfuscation.org/techs/
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."  -- Benjamin Franklin, 1759

Attachment: _bin
Description: