[Dshield] Nimda box reporting

KickerRick kickerrick at kickerrick.servebeer.com
Sat Aug 10 22:53:22 GMT 2002


    What I've been doing is using net send to warn the user of the box
directly. Most always works, and seldom do I see repeat attacks.
Occasionally I do;
    4.60.117.31 for example has attacked me repeatedly over the last 24 to
48 hours, and for some reason net send is unable to get through. It clearly
has an open port Netbios port, I'm assuming it's a hacked infected
coumputer, and I get good pings to it in spite of the fact it seems to
constantly be scanning. It is an example of the exception.
Erick

----- Original Message -----
From: "Russell Washington" <russ.washington at vaultsentry.com>
To: <list at dshield.org>
Sent: Thursday, August 08, 2002 10:52 AM
Subject: [Dshield] Nimda box reporting


> Question for the masses... (knowing this will probably kick up a lot of
> dust, ducking)
>
> Does anyone know of a centralized... anything... for getting word to
> compromised box administrators that their boxes are compromised?  I'm
> specifically thinking Nimda, although it certainly isn't the only one to
> think about.
>
> It's easy enough to definitively determine whether a box scanning port 80
on
> your range is Nimda-infected, hit its IP in a web browser on a machine
with
> decent real-time AV protection and bam, "I killed Nimda" dialog boxes
start
> showing up.  Presumably (hopefully) the box admin would want to fix
this...
> if they knew.
>
> But getting word to that admin about a confirmed infection... tricky...
>
> Anyway, just a thought.  Does any centralized notification thingamabob
like
> this exist?  Or is the upshot that folks don't pay attention when they get
> these kinds of notifications anyway?





More information about the list mailing list