Re: Publishing Nimda Logs

From: Glenn Forbes Fleming Larratt (glrattat_private)
Date: Wed May 08 2002 - 08:01:11 PDT

  • Next message: Rainer Duffner: "Re: Publishing Nimda Logs"

    "Truly sad"? I would use "pathetic" - the vulnerability for Code Red
    was only *months* old when CR came out; the (web directory traversal) one 
    for Nimda was *years* old.
    Frankly, I'm going to opine #3, although I'd not use "Boring" so much
    as "Futile" - consider:
    	- how long have ORBS and its knock-offs been around?
    	- is the open relay problem getting better?
    I'm all for public pressure, but unless you can convince a 
    large-enough-to-become-inconvenient bloc of domains to shun
    entire networks because they don't secure their systems, you're
    not going to get a critical mass of concern on the part of the
    (already) irresponsible people.
    It's also the case that (a) keeping such a thing properly up to date, and
    (b) avoiding the mistake of the open-relay-zealots (i.e. "you're in our
    list because we don't agree with your methods"[1]) will become nontrivial 
    over time.
    My strategy has been to only report/block the flagrant outside offenders, 
    and to ignore the small ones - and to immediately, without exception, shut
    down anyone in my network who gets himself infected.
    Conclusion: 3.5 Futile. It's Nimda, and it's not gonna stop as long as IPV4
    and IIS that ships UNPATCHED (*#$!) by default are out there. Deal with
    it, keep your own systems secure, and ignore the logs.
    [1] Our approach to open relay issues was to block SMTP from outside our
    network to any but our approved, properly secured mail servers. When
    we reported this to one of the open-relay-zealot sites, who had us listed,
    they refused to remove us from the list - not because we had an open relay,
    but because they could not get an SMTP connection to check every host in
    our network. We have taken the position that it is no-one's position to
    arbitrarily scan our network for vulnerabilities, for any reason, and
    told the aforementioned zeolots to take a flyin' leap. 
    On Tue, 7 May 2002, Deus, Attonbitus wrote:
    >   It is truly sad that so many people are still infected with Nimda. There
    >   is a company with my corporate ISP that I have notified 3 times now that
    >   they are attacking other systems. It seems they can't figure out how not
    >   to install Win2k/IIS5.0 while connected to the net. The sad thing is that
    >   this is a computer company.
    >   I have seen a site where people have published the IP of the offending
    >   boxes for stuff like Nimda and CR. I am thinking about doing the same
    >   thing so that people can either use that information to block the IP's or
    >   to do whatever they want for that matter.
    >   I'm curious to see how other feel about this. Is it:
    >   1) Recommended. Go for it and publish the IP's and let the "Gods of IP"
    >   sort out the damage.
    >   2) A Bad Thing. These are innocent victims, and you will just have them be
    >   attacked by evil people.
    >   3) Boring. Who cares? It's Nimda, and an everyday part of life. Deal with
    >   it and ignore the logs.
    >   If "1," then I was thinking of going with a "Hall of Shame" and providing
    >   ARIN look ups, contacts, and the whole bit. I could even allow other
    >   people to post logs there and stuff like that...
    >   Input appreciated.
    >   AD
    > -----BEGIN PGP SIGNATURE-----
    > Version: PGP 7.1
    > iQA/AwUBPNgHPIhsmyD15h5gEQLsWACZASlsx6Wew0YfTHAzIHxotQYAdkAAoIoV
    > VSob5Hcw7X9DDzDxNUzXftdm
    > =Xv5m
    > -----END PGP SIGNATURE-----
    > ----------------------------------------------------------------------------
    > This list is provided by the SecurityFocus ARIS analyzer service.
    > For more information on this free incident handling, management 
    > and tracking system please see:
    Glenn Forbes Fleming Larratt         The Lab Ratt (not briggs :-) 
    There are imaginary bugs to chase in heaven.
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Wed May 08 2002 - 08:42:41 PDT