Re: Publishing Nimda Logs

From: Nick Lange (nicklange@wi.rr.com)
Date: 05/08/02


From: "Nick Lange" <nicklange@wi.rr.com>
To: "Andy Wood" <network.design@cox.net>
Date: Wed, 8 May 2002 13:37:04 -0500

nor is it suprising that most if not all of those ip's are cable modems
ips...
I currently block connections from 436 ips of similar ip blocks that also
scan my cable modem ... Daily...
I get reports as new unique ips are added and even now I *STILL* get a new
ip daily... it's sad really... I can publish this list somewhere if desired
by anyone. But back to the point, I thought [insert cable ISP here] took
steps to curtail / contact customers infected with this worm? I'm guessing
only 10% maximum of these ips actually mean to be exhibiting nimda-like
behaviour.
-nick
----- Original Message -----
From: "Andy Wood" <network.design@cox.net>
To: "'Eli K. Breen'" <eli@gopostal.ca>
Cc: <vuln-dev@securityfocus.com>
Sent: Wednesday, May 08, 2002 6:53 AM
Subject: RE: Publishing Nimda Logs

> It's not surprising either that almost 50% of those listed have
> NetBIOS (TCP 139) open.
>
> -----Original Message-----
> From: Eli K. Breen [mailto:eli@gopostal.ca]
> Sent: Tuesday, May 07, 2002 4:48 PM
> To: Deus, Attonbitus
> Cc: vuln-dev@securityfocus.com
> Subject: RE: Publishing Nimda Logs
>
>
> I've been tracking nimda attacks and IPs with a tiny PERL script.
> Results are at http://www.sectornotfound.com/files/NIMDA.stats (since
> Sept. 18th
> 2001)
>
> -Eli
>
> -----Original Message-----
> From: Deus, Attonbitus [mailto:Thor@HammerofGod.com]
> Sent: Tuesday, May 07, 2002 9:55 AM
> To: vuln-dev@securityfocus.com
> Subject: Publishing Nimda Logs
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> It is truly sad that so many people are still infected with Nimda.
> There
> is a company with my corporate ISP that I have notified 3 times now
> that
> they are attacking other systems. It seems they can't figure out how
> not
> to install Win2k/IIS5.0 while connected to the net. The sad thing is
> that
> this is a computer company.
>
> I have seen a site where people have published the IP of the offending
> boxes for stuff like Nimda and CR. I am thinking about doing the same
> thing so that people can either use that information to block the IP's
> or
> to do whatever they want for that matter.
>
> I'm curious to see how other feel about this. Is it:
>
> 1) Recommended. Go for it and publish the IP's and let the "Gods of
> IP"
> sort out the damage.
> 2) A Bad Thing. These are innocent victims, and you will just have
> them be
> attacked by evil people.
> 3) Boring. Who cares? It's Nimda, and an everyday part of life. Deal
> with
> it and ignore the logs.
>
> If "1," then I was thinking of going with a "Hall of Shame" and
> providing
> ARIN look ups, contacts, and the whole bit. I could even allow other
> people to post logs there and stuff like that...
>
> Input appreciated.
>
> AD
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 7.1
>
> iQA/AwUBPNgG94hsmyD15h5gEQI+igCg3plbeP+TLJcr71MfzkvHI+/t/dsAn2ve
> 83gug5UTKCYW+x4ZwNDPSTEE
> =P0lX
> -----END PGP SIGNATURE-----
>
>
> ---
> Incoming mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.351 / Virus Database: 197 - Release Date: 4/19/2002
>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.351 / Virus Database: 197 - Release Date: 4/19/2002
>
>