Tim, Between you, me, and the fence post... > 1) Recommended. Go for it and publish the IP's and > let the "Gods of IP" > sort out the damage. > 2) A Bad Thing. These are innocent victims, and > you will just have them be > attacked by evil people. > 3) Boring. Who cares? It's Nimda, and an everyday > part of life. Deal with > it and ignore the logs. > > If "1," then I was thinking of going with a "Hall > of Shame" and providing > ARIN look ups, contacts, and the whole bit. I > could even allow other > people to post logs there and stuff like that... I'll put in my vote for 3. I don't think that 2 applies...clueless victim, yes, but innocent...no. I think a lot of people are confused that if they follow on method of installing patch rollups, they won't necessarily get the dir transversal patch. Things like posting this info, along with the ARIN info, will lead to problems. Not only is it going to be work intensive, but how do you propose verifying the info? What's to prevent someone from forging logs showing their competitor having Nimda, and then having a large portion of the folks who monitor your site arbitrarily block those IPs? Remember what the Attrition guys talked about at last year's Blackhat? They thought they were providing a service, and things changed as they progressed. If one particular IP is being a problem, let them know. I did that recently...found out that the system in question was the admin's workstation. I have no idea why the admin is running IIS, or allowing an infected system (he knew he had Nimda) to remain connected to the Net for so long...but the scans weren't successful, and didn't consume enormous amounts of bandwidth. Of course, some have put forth the idea of hacking into the box and shutting it down yourself...something I don't recommend. __________________________________________________ Do You Yahoo!? Yahoo! Health - your guide to health and wellness http://health.yahoo.com
This archive was generated by hypermail 2b30 : Tue May 07 2002 - 12:41:49 PDT