On Sat, 29 Sep 2001 06:42:40 PDT, H C <keydet89at_private> said: > 1. Who was "patient 0"? Who was the first the admin > who contacted eEye with the initial reports? What > domain first reported the "attacks"? The problem is that the first admin to contact eEye was probably not "patient 0". I know for Nimda, I think I was the first to post to the NANOG list and state that the CodeRed-style scans seemed to be related to an e-mail based virus. On the other hand, I only posted because there was *already* enough activity that it was causing blips on provider's traffic monitors. I was merely the first one to (a) get hit with a copy (b) be using a Unix-based mail reader that didn't get infected (so I was able to do forensics rather than be busy recovering the systen), (c) be subscribed to mailing lists that gave me the info needed to make the connection *and* (d) actually hit 'send' on the note. I posted to NANOG, then talked to some internal people, packaged the sucker up to send to the guys at Trend so they could get us some footprints to use in our Mirapoints - and by that time (maybe 45 minutes after I got into my office that morning), I didn't post to Bugtraq or Incidents because other people were already ahead of me on the forensics. Finding "patient 0" for an Ebola outbreak is usually pretty easy, because patient 0 usually notices. What you're looking at is more like trying to track a food poisoning outbreak - but one in which everbody leaves the banquet, and they don't notice getting sick, but the 23rd person they meet notices that THEY get sick. A similar situation exists here - if the first call comes in to eEye at 9:15AM, their machine probably got nailed at 9:05AM. And it was probably actually released at 8:57AM, and gone through 5 or 6 hops already before it nails somebody who notices. Even if every site actually keeps good logs (a dubious proposition at best), most won't have NTP-synchronized time - and all it will take is a few servers set via wristwatch time to totally muddy the trail. Valdis Kletnieks Operating Systems Analyst Virginia Tech ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Sep 30 2001 - 11:28:07 PDT