RE: Publishing Nimda Logs

["Andy Wood" <network.design () cox net>]

        I think one should be careful.  Who is contacted is a key
question.  One scenario could be that a tech was contacted and he/she is
too clueless or uses some other negligent excuse as to why it is not
fixed.  Maybe they don't know how, or are too worried about their
reputation that is built on sand.

        This is not a foreign response to us either.  We have contacted
companies that fix what we present to them and they never call back.
This is foolishness, we never feed the ones that do call everything that
we found.  So they fix the simple one or two we give 'em and have no
idea about the rest.  We have even found network security companies, and
not just locals, but HUGE companies......and we're ignored.

        Hey, I just noticed your domain....funny story.  I contacted CSC
a couple of weeks ago about a few servers that you guys have that are
seriously vulnerable to attack.....Oh you guys were quick...contacted me
the same day.  Fished the info outta me and blew off my resume, or so it
seems.....but best is this:  They're still vulnerable 

        Well, I'm glad your company's stance is such of FULL disclosure.
You think I should disclose the IP addresses of your company's
vulnerable servers??  I mean, if people come looking to attack CSC it
could can draw attention to a lot of consecutive IP blocks of companies
in our area.  That wouldn't be fair to the others would it??



-----Original Message-----
From: brossini () csc com au [mailto:brossini () csc com au] 
Sent: Tuesday, May 07, 2002 11:16 PM
To: vuln-dev () securityfocus com
Subject: RE: Publishing Nimda Logs


I agree, these machines NEED to be cleaned and secured, OR removed from
the network.

It would, however,  be pretty niave of us to think that attackers
couldn't find lists of infected machines by other means. After all, we
promote full disclosure of software vulnerabilities, so why not full
disclosure of machines infected by worms and trojans that should have
been cleaned up long ago ? If (and only if) the users and ISP of the
problematic machines have been notified, then I don't see why lists of
this kind shouldn't be published, so that network admins can block the
offending traffic.

my (considerably less than) $0.02......

- Ben



|---------+---------------------------------->
|         |           "Silcock, Stephen"     |
|         |           <stephen_silcock@cleana|
|         |           way.com.au>            |
|         |                                  |
|         |           08/05/2002 10:35 AM    |
|         |                                  |
|---------+---------------------------------->
 
> -----------------------------------------------------------------------
--------------------------------------------------------|
  |
|
  |        To:      vuln-dev () securityfocus com
|
  |        cc:
|
  |        Subject: RE: Publishing Nimda Logs
|
 
> -----------------------------------------------------------------------
--------------------------------------------------------|





I think many people are underestimating the potential for damage these
machines hold...

Eli. K. Breen. put his (small, personal) list of infected hosts on a web
page and posted the address to the list.

I now have as a result a list of about 2000 infected, and therefore
trivially exploitable hosts.  While some may be dynamic IP's and some
may not be as trivially exploitable as it seems; 2000 is a good ballpark
figure.

I could; if I had the time and the inclination knock up a DDoS network
within the space of a day or two using that information - 2000 hosts is
no small number.

Add to that any other Nimda lists I can lay my hands on, not to mention
the even-more-trivially exploitable CodeRed backdoored machines and you
have a ready made DDoS network just waiting for someone to use it.

The machines need to be cleaned and set up securely.  If the people
running them can't do it they have no business having an internet
connection; they're a liabiltiy to the rest of the internet community...

Unfortunately there are only two ways I can see this happening; ISP's
being made accountable for allowing these hosts to remain connected, or
compromising the machines and patching/shutting them down in an
automated fashion, which is illegal pretty much everywhere I would
assume and probably not very effective as the machines would probably
just be rebuilt or restored insecurely as before.

So (resisting the urge to rant about Microsoft's buggy mass marketed
bloatware) it comes down to ISP's having to disconnect their own
customers...

My $0.02

S.   :)


PLEASE NOTE:

This email transmission is confidential and intended solely for the
addressee.  If you are not the intended addressee, you must not use,
disclose or print this transmission and you should delete it from your
system.




---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.351 / Virus Database: 197 - Release Date: 4/19/2002