1. If its getting out of hand, run Earlybird. It will automatically E-mail both Abuse and Arin Contacts for any IP that it detects. http://www.treachery.net/~jdyson/earlybird/ 2. If you don't mind all the attacks, just setup a simple filter in apache to ignore them. I do the following: CustomLog /var/www/logs/access_log combined env=!trash SetEnvIf Request_URI /scripts trash SetEnvIf Request_URI /default.* trash SetEnvIf Request_URI /*/winnt trash SetEnvIf Request_URI /*/*.dll trash SetEnvIfNoCase Request_URI /msadc trash Then for virtuals its the same thing. <VirtualHost 1.2.3.4> CustomLog /home/username/website-access_log combined env=!trash </VirtualHost> That way it doesn't clog my weblogs with 'trash' :) -- Matthew ----- Original Message ----- From: "H C" <keydet89at_private> To: "Deus, Attonbitus" <Thorat_private> Cc: <vuln-devat_private> Sent: Tuesday, May 07, 2002 2:15 PM Subject: Re: Publishing Nimda Logs > Tim, > > Between you, me, and the fence post... > > > 1) Recommended. Go for it and publish the IP's and > > let the "Gods of IP" > > sort out the damage. > > 2) A Bad Thing. These are innocent victims, and > > you will just have them be > > attacked by evil people. > > 3) Boring. Who cares? It's Nimda, and an everyday > > part of life. Deal with > > it and ignore the logs. > > > > If "1," then I was thinking of going with a "Hall > > of Shame" and providing > > ARIN look ups, contacts, and the whole bit. I > > could even allow other > > people to post logs there and stuff like that... > > I'll put in my vote for 3. > > I don't think that 2 applies...clueless victim, yes, > but innocent...no. I think a lot of people are > confused that if they follow on method of installing > patch rollups, they won't necessarily get the dir > transversal patch. > > Things like posting this info, along with the ARIN > info, will lead to problems. Not only is it going to > be work intensive, but how do you propose verifying > the info? What's to prevent someone from forging logs > showing their competitor having Nimda, and then having > a large portion of the folks who monitor your site > arbitrarily block those IPs? > > Remember what the Attrition guys talked about at last > year's Blackhat? They thought they were providing a > service, and things changed as they progressed. > > If one particular IP is being a problem, let them > know. I did that recently...found out that the system > in question was the admin's workstation. I have no > idea why the admin is running IIS, or allowing an > infected system (he knew he had Nimda) to remain > connected to the Net for so long...but the scans > weren't successful, and didn't consume enormous > amounts of bandwidth. > > Of course, some have put forth the idea of hacking > into the box and shutting it down yourself...something > I don't recommend. > > > __________________________________________________ > Do You Yahoo!? > Yahoo! Health - your guide to health and wellness > http://health.yahoo.com >
This archive was generated by hypermail 2b30 : Tue May 07 2002 - 13:39:24 PDT