Re: Publishing Nimda Logs

["Nick Lange" <nicklange () wi rr com>]

nor is it suprising that most if not all of those ip's are cable modems
ips...
I currently block connections from 436 ips of similar ip blocks that also
scan my cable modem ... Daily...
I get reports as new unique ips are added and even now I *STILL* get a new
ip daily... it's sad really... I can publish this list somewhere if desired
by anyone. But back to the point, I thought [insert cable ISP here] took
steps to curtail / contact customers infected with this worm? I'm guessing
only 10% maximum of these ips actually mean to be exhibiting nimda-like
behaviour.
-nick
----- Original Message -----
From: "Andy Wood" <network.design () cox net>
To: "'Eli K. Breen'" <eli () gopostal ca>
Cc: <vuln-dev () securityfocus com>
Sent: Wednesday, May 08, 2002 6:53 AM
Subject: RE: Publishing Nimda Logs


> It's not surprising either that almost 50% of those listed have
> NetBIOS (TCP 139) open.
>
> -----Original Message-----
> From: Eli K. Breen [mailto:eli () gopostal ca]
> Sent: Tuesday, May 07, 2002 4:48 PM
> To: Deus, Attonbitus
> Cc: vuln-dev () securityfocus com
> Subject: RE: Publishing Nimda Logs
>
>
> I've been tracking nimda attacks and IPs with a tiny PERL script.
> Results are at http://www.sectornotfound.com/files/NIMDA.stats (since
> Sept. 18th
> 2001)
>
> -Eli
>
> -----Original Message-----
> From: Deus, Attonbitus [mailto:Thor () HammerofGod com]
> Sent: Tuesday, May 07, 2002 9:55 AM
> To: vuln-dev () securityfocus com
> Subject: Publishing Nimda Logs
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>   It is truly sad that so many people are still infected with Nimda.
> There
>   is a company with my corporate ISP that I have notified 3 times now
> that
>   they are attacking other systems. It seems they can't figure out how
> not
>   to install Win2k/IIS5.0 while connected to the net. The sad thing is
> that
>   this is a computer company.
>
>   I have seen a site where people have published the IP of the offending
>   boxes for stuff like Nimda and CR. I am thinking about doing the same
>   thing so that people can either use that information to block the IP's
> or
>   to do whatever they want for that matter.
>
>   I'm curious to see how other feel about this. Is it:
>
>   1) Recommended. Go for it and publish the IP's and let the "Gods of
> IP"
>   sort out the damage.
>   2) A Bad Thing. These are innocent victims, and you will just have
> them be
>   attacked by evil people.
>   3) Boring. Who cares? It's Nimda, and an everyday part of life. Deal
> with
>   it and ignore the logs.
>
>   If "1," then I was thinking of going with a "Hall of Shame" and
> providing
>   ARIN look ups, contacts, and the whole bit. I could even allow other
>   people to post logs there and stuff like that...
>
>   Input appreciated.
>
>   AD
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 7.1
>
> iQA/AwUBPNgG94hsmyD15h5gEQI+igCg3plbeP+TLJcr71MfzkvHI+/t/dsAn2ve
> 83gug5UTKCYW+x4ZwNDPSTEE
> =P0lX
> -----END PGP SIGNATURE-----
>
>
> ---
> Incoming mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.351 / Virus Database: 197 - Release Date: 4/19/2002
>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.351 / Virus Database: 197 - Release Date: 4/19/2002