On Tue, May 07, 2002 at 09:56:28AM -0700, Deus, Attonbitus wrote: > I have seen a site where people have published the IP of the offending > boxes for stuff like Nimda and CR. I am thinking about doing the same > thing so that people can either use that information to block the IP's or > to do whatever they want for that matter. Since I was one who published a list of over ten thousand hosts infected with Code Red last summer to this list and others, I can give you some insight. Before I posted the list, I asked a few people if I should and only a couple said I shouldn't. However, after I posted it, no one sent me any hate mail. The emails I did receive were more of the "oh, geez, thanks, I'll fix those right away!" type. I think for some, they wouldn't have known about them unless some published the list. For others they may have simply missed them in their own logs or intrusion detection reports, but they pay attention to lists like this. Others, well as you say, they go up on the wall of shame. Those who don't fix them are only slightly worse off with your published list. Anyone with a web server can sit back and collect the same logs you're getting. Based on my experience, I'd say go for it. ...and I'll thank you in advance if you help my organization in finding a infected host on our network that we may have missed. John ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed May 08 2002 - 09:03:16 PDT