Re: Publishing Nimda Logs

From: Meritt James (meritt_jamesat_private)
Date: Wed May 08 2002 - 12:52:20 PDT

Next message: Emre Yildirim: "RE: Publishing Nimda Logs"

Previous message: De Velopment: "Re: Publishing Nimda Logs == BAD IDEA"
In reply to: Healy, S. S., CTM2: "RE: Publishing Nimda Logs"
Next in thread: Jordan Frank: "Re: Publishing Nimda Logs"
Next in thread: amonotod: "RE: Publishing Nimda Logs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Happened, sorta.  He was caught, convicted and imprisoned.  See "A White
hat goes to jail" at
http://www.wired.com/news/culture/0,1284,44007,00.html

"Healy, S. S., CTM2" wrote:
> 
> I'm just waiting for the day where a sysadmin gets fed up with being scanned
> by NIMDA and rewrites NIMDA to start patching the systems it infects.
> 
> What would you call such a beast, a retro-virus or an anti-virus virus?
> 
> -Steve-
> 
> -----Original Message-----
> From: Ron DuFresne [mailto:dufresneat_private]
> Sent: Tuesday, May 07, 2002 6:48 PM
> To: Chip McClure
> Cc: Deus, Attonbitus; vuln-devat_private
> Subject: Re: Publishing Nimda Logs
> 
> I've also pretty much given up on trying to clue folks to nimda issues
> they still have, same with code red variants which are still plentiful.
> I've started to blackhole whol IP blocks due to this problem.  Some
> companies, even when notified of their systems compromise and their
> being used to further attack other systems don't even take the time to
> either investigate, nor repair such systems.  We've taken to having to
> block the whole netspace for many sites, such as the City of Ashland in
> Oregon, (NETBLK-SPRINT-D00150-2) SPRINT-D00150-2 208.1.80.0 -
> 208.1.83.255, whose systems are so infested with code-red and nimda
> variants and who fail as well as Sprint, their upstream provider, in
> taking any action about their systems attacks on others on the Internet
> infamous highway.   We tried to actually call and talk to their techs and
> were rudely hung up on, this after over 6 months of notifications to them
> and their upstream ISP Sprint.  Although Jose Nazario does mention these
> systems can be 0w3d after a publication of IP's of infected systems, I'm
> at this point not caring if they get taken.  They are a pain and further
> spreading their problem as it is.  I suspect many of these systems are at
> least partially 0w3d and used as DDOS mechanisms already.  The hame of
> shame list should include the ISP's in question too, the upstreams have
> been notified as well as the direct offender, most many times over many
> months.  Nothing else has worked...
> 
> Thanks,
> 
> Ron DuFresne

-- 
James W. Meritt CISSP, CISA
Booz | Allen | Hamilton
phone: (410) 684-6566

Next message: Emre Yildirim: "RE: Publishing Nimda Logs"
Previous message: De Velopment: "Re: Publishing Nimda Logs == BAD IDEA"
In reply to: Healy, S. S., CTM2: "RE: Publishing Nimda Logs"
Next in thread: Jordan Frank: "Re: Publishing Nimda Logs"
Next in thread: amonotod: "RE: Publishing Nimda Logs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed May 08 2002 - 21:32:12 PDT