Re: Publishing Nimda Logs

From: Richard.Smith@predictive.com
Date: 05/08/02 

To: <jlewis@lewis.org>
From: Richard.Smith@predictive.com
Date: Wed, 8 May 2002 12:38:49 -0400

Why not publish the list and only include the source netblock. That way
your still getting the info out there, but your not allowing a script
kiddie to simply cut and paste your host list into a bot script.

-Rich

<jlewis@lewis.org>
05/08/2002 01:56 AM

 
        To: "Deus, Attonbitus" <Thor@HammerofGod.com>
        cc: <INCIDENTS@securityfocus.com>
        Subject: Re: Publishing Nimda Logs

On Tue, 7 May 2002, Deus, Attonbitus wrote:

> I'm curious to see how other feel about this. Is it:
>
> 1) Recommended. Go for it and publish the IP's and let the "Gods of
IP"
> sort out the damage.
> 2) A Bad Thing. These are innocent victims, and you will just have
them be
> attacked by evil people.
> 3) Boring. Who cares? It's Nimda, and an everyday part of life. Deal
with
> it and ignore the logs.

1 and 3. Some people (those not running MS Crap) probably won't care, but
if it's something you want to do, why should that stop you. On some of my
personal systems, I've actually setup code to watch apache for Nimda/CR
sorts of requests, and firewall them for 24h in addition to emailing me
the IP, mostly to keep them from filling my access_logs with their crap.
I've also implemented this on a big web hosting server because Nimda/CR
probes were actually causing performance issues on the server.

This has doubled as an early warning system notifying me that a Windows
running coworker has been infected before they know it.

If you maintain a list that's easily fetchable, it wouldn't surprise me at
all if some people choose to grab it at regular intervals and use it to
block access to their web servers. 

-- 
----------------------------------------------------------------------
 Jon Lewis *jlewis@lewis.org*|  I route
 System Administrator        |  therefore you are
 Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Relevant Pages

  • Re: new type of formmail probes
    ... realname= (looks script kiddie proofed;). ... > For more information on this free incident handling, management ... > and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • Re: New version of Code Red?
    ... this one came across every server in one class C yesterday from ... > For more information on this free incident handling, management ... > and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • Re: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com
    ... > server sessions here. ... For more information on this free incident handling, management ... and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • Re: [logs] nimda web server logs
    ... We were hit with 504 scans on one server, ... > For more information on this free incident handling, management ... > and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • Re: GET /proxy-test.php
    ... people seem to be testing for anonymous proxy. ... have this proxy-test.php to show what could be seen by a server. ... >For more information on this free incident handling, management ... >and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)