Re: Publishing Nimda Logs

From: John Kristoff (
Date: Wed May 08 2002 - 03:45:03 PDT

  • Next message: jlewisat_private: "Re: Publishing Nimda Logs"

    On Tue, May 07, 2002 at 09:56:28AM -0700, Deus, Attonbitus wrote:
    >   I have seen a site where people have published the IP of the offending
    >   boxes for stuff like Nimda and CR. I am thinking about doing the same
    >   thing so that people can either use that information to block the IP's or
    >   to do whatever they want for that matter.
    Since I was one who published a list of over ten thousand hosts infected
    with Code Red last summer to this list and others, I can give you some
    Before I posted the list, I asked a few people if I should and only
    a couple said I shouldn't.  However, after I posted it, no one sent me
    any hate mail.  The emails I did receive were more of the "oh, geez,
    thanks, I'll fix those right away!" type.  I think for some, they
    wouldn't have known about them unless some published the list.  For
    others they may have simply missed them in their own logs or intrusion
    detection reports, but they pay attention to lists like this.  Others,
    well as you say, they go up on the wall of shame.
    Those who don't fix them are only slightly worse off with your
    published list.  Anyone with a web server can sit back and collect
    the same logs you're getting.  Based on my experience, I'd say go
    for it.  ...and I'll thank you in advance if you help my organization
    in finding a infected host on our network that we may have missed.
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Wed May 08 2002 - 09:03:16 PDT