[42680] in North American Network Operators' Group
Re: Online DB of IPs for Nimda worm infected machines
daemon@ATHENA.MIT.EDU (up@3.am)
Tue Sep 18 19:41:32 2001
Date: Tue, 18 Sep 2001 19:40:51 -0400 (EDT)
From: <up@3.am>
To: nanog@nanog.org
In-Reply-To: <5.1.0.14.0.20010918194304.030d86a0@pop3.uol.com.br>
Message-ID: <Pine.BSF.4.10.10109181935340.21970-100000@richard2.pil.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Errors-To: owner-nanog-outgoing@merit.edu
Yes! ...and accurate (ntpsynch'd) times, too, please. I just got a nimda
warning from secmbox3+nimda@UU.NET for a dynamic IP with a GMT/UTC
timestamp that doesn't correspond to any connections, but is close enough
to one that I *think* I know which user it is.
I'm also concerned about auto-blackholing/blocking dynamic IPs...
On Tue, 18 Sep 2001, Rubens Kuhl Jr. wrote:
>
>
> Please list probe time also. Dynamic IPs can only be traced to the actual
> infected user with a time stamp.
>
>
> Rubens Kuhl Jr.
>
>
> > http://seven.alameda.net/~ulf/nimda/
> >
> >I put a page to search for infected IPs. This is the first version.
> >Currently I put IPs into it which probed me before about 2pm PDT.
> >I got email from 2 people who sent me their IPs, which I am going
> >to add when they ok it.
> >
> >You can right now search by SQL for IPs like: 64.81.%
> >This will display all IPs which probed me starting
> >with 64.81.
> >
> >Things I am adding in the next minutes is so that people
> >can submit them self single IPs or bulk list.
>
>
James Smallacombe PlantageNet, Inc. CEO and Janitor
up@3.am http://3.am
=========================================================================
