Re: Publishing Nimda Logs

From: John Kristoff (jtk@aharp.is-net.depaul.edu)
Date: 05/08/02

• Previous message: E: "Re: Publishing Nimda Logs"
• In reply to: Deus, Attonbitus: "Publishing Nimda Logs"
• Next in thread: jlewis@lewis.org: "Re: Publishing Nimda Logs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Wed, 8 May 2002 05:45:03 -0500
From: John Kristoff <jtk@aharp.is-net.depaul.edu>
To: "Deus, Attonbitus" <Thor@HammerofGod.com>

On Tue, May 07, 2002 at 09:56:28AM -0700, Deus, Attonbitus wrote:
> I have seen a site where people have published the IP of the offending
> boxes for stuff like Nimda and CR. I am thinking about doing the same
> thing so that people can either use that information to block the IP's or
> to do whatever they want for that matter.

Since I was one who published a list of over ten thousand hosts infected
with Code Red last summer to this list and others, I can give you some
insight.

Before I posted the list, I asked a few people if I should and only
a couple said I shouldn't. However, after I posted it, no one sent me
any hate mail. The emails I did receive were more of the "oh, geez,
thanks, I'll fix those right away!" type. I think for some, they
wouldn't have known about them unless some published the list. For
others they may have simply missed them in their own logs or intrusion
detection reports, but they pay attention to lists like this. Others,
well as you say, they go up on the wall of shame.

Those who don't fix them are only slightly worse off with your
published list. Anyone with a web server can sit back and collect
the same logs you're getting. Based on my experience, I'd say go
for it. ...and I'll thank you in advance if you help my organization
in finding a infected host on our network that we may have missed.

John

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

---

• Previous message: E: "Re: Publishing Nimda Logs"
• In reply to: Deus, Attonbitus: "Publishing Nimda Logs"
• Next in thread: jlewis@lewis.org: "Re: Publishing Nimda Logs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Xorg-6.8.1 +glib +i810 +FreeBSD4.11-STABLE ... or switching back to Xfree. ... have bitten the bullet and am downgrading to 6.7.0. ... I intend to keep an eye on the lists and see what happens - I'm sure ... the port maintainers will work their magic and fix the ... (freebsd-questions) Re: third patch ... The fix series is now merged into cifs-2.6.git ... some oopses that can occur with simultaneous cifs mounts/umounts ... We do this by abandoning the global list of SMB sessions and instead ... lists. ... (Linux-Kernel) Re: 2.6.4-mm1 ... > with is in getting a really reliable fsyncacross the page lists while ... > - Various little fixes as usual. ... > iSeries device number fix ... > nfs: Remove an unnecessary spinlock from XID generation... ... (Linux-Kernel) RE: Cannot Add To Library ... It still only lists ... > posting my fix here for anyone who may need it. ... > in folders with that attribute. ... > then type in cd "music" and hit Enter. ... (microsoft.public.windowsmedia.player) Re: FreeBSD 5.3-BETA6 available ... me on all replies, I'm not on all lists. ... >>information about migrating to BIND9. ... FIX IS AVAILABLE, bug has been open for many months, has ... NIS is still faulty in pretending users aren't there when in fact NIS ... (freebsd-current)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(13)