nor is it suprising that most if not all of those ip's are cable modems ips... I currently block connections from 436 ips of similar ip blocks that also scan my cable modem ... Daily... I get reports as new unique ips are added and even now I *STILL* get a new ip daily... it's sad really... I can publish this list somewhere if desired by anyone. But back to the point, I thought [insert cable ISP here] took steps to curtail / contact customers infected with this worm? I'm guessing only 10% maximum of these ips actually mean to be exhibiting nimda-like behaviour. -nick ----- Original Message ----- From: "Andy Wood" <network.designat_private> To: "'Eli K. Breen'" <eliat_private> Cc: <vuln-devat_private> Sent: Wednesday, May 08, 2002 6:53 AM Subject: RE: Publishing Nimda Logs > It's not surprising either that almost 50% of those listed have > NetBIOS (TCP 139) open. > > -----Original Message----- > From: Eli K. Breen [mailto:eliat_private] > Sent: Tuesday, May 07, 2002 4:48 PM > To: Deus, Attonbitus > Cc: vuln-devat_private > Subject: RE: Publishing Nimda Logs > > > I've been tracking nimda attacks and IPs with a tiny PERL script. > Results are at http://www.sectornotfound.com/files/NIMDA.stats (since > Sept. 18th > 2001) > > -Eli > > -----Original Message----- > From: Deus, Attonbitus [mailto:Thorat_private] > Sent: Tuesday, May 07, 2002 9:55 AM > To: vuln-devat_private > Subject: Publishing Nimda Logs > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > It is truly sad that so many people are still infected with Nimda. > There > is a company with my corporate ISP that I have notified 3 times now > that > they are attacking other systems. It seems they can't figure out how > not > to install Win2k/IIS5.0 while connected to the net. The sad thing is > that > this is a computer company. > > I have seen a site where people have published the IP of the offending > boxes for stuff like Nimda and CR. I am thinking about doing the same > thing so that people can either use that information to block the IP's > or > to do whatever they want for that matter. > > I'm curious to see how other feel about this. Is it: > > 1) Recommended. Go for it and publish the IP's and let the "Gods of > IP" > sort out the damage. > 2) A Bad Thing. These are innocent victims, and you will just have > them be > attacked by evil people. > 3) Boring. Who cares? It's Nimda, and an everyday part of life. Deal > with > it and ignore the logs. > > If "1," then I was thinking of going with a "Hall of Shame" and > providing > ARIN look ups, contacts, and the whole bit. I could even allow other > people to post logs there and stuff like that... > > Input appreciated. > > AD > > > -----BEGIN PGP SIGNATURE----- > Version: PGP 7.1 > > iQA/AwUBPNgG94hsmyD15h5gEQI+igCg3plbeP+TLJcr71MfzkvHI+/t/dsAn2ve > 83gug5UTKCYW+x4ZwNDPSTEE > =P0lX > -----END PGP SIGNATURE----- > > > --- > Incoming mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.351 / Virus Database: 197 - Release Date: 4/19/2002 > > > --- > Outgoing mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.351 / Virus Database: 197 - Release Date: 4/19/2002 > >
This archive was generated by hypermail 2b30 : Wed May 08 2002 - 18:45:59 PDT