What seems to be missed in this thread is the fact that Nimda is not limited to running on servers. Of all the machines that have used Nimda style probing against my IP address in the last week, not one has been a server. None of the machines respond to port 80. None of these machines have DNS or WHOIS records other than for the ISP who owns the IP block.
Perhaps things are different in other IP blocks. But in the block my machines are in, it appears that the infected machines are most likely desktops without virus protection. I find it unfathomable that significant numbers of servers currently exist which have not already been patched by now. The patch has been available for over 2 years now. http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ bulletin/ms00-057.asp http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ bulletin/ms00-078.asp If we accept that the vast majority of machines which are currently infected with Nimda are desktop machines without Web servers we are left with a few questions: 1. How would one "break in"? Using the same exploit as Nimda would most likely involve sending the owner an e-mail. This is problematic because the e-mail address is not known. If the e-mail address were known, we could just send the owner an e-mail. (Although the owner is probably already overwhelmed with bounces and what not because their machine is infected with Nimda...) 2. Who should the compromise be reported to? It is unlikely that any of these machines have SMTP servers running so the direct approach will fail. There are no WHOIS/DNS records for the compromised machines, only the ISPs. It is likely that many compromised hosts do not even have static IP addresses requiring the ISP to look through logs to determine who had a given IP address at a given time. -----Original Message----- From: Andreas Syka [mailto:[EMAIL PROTECTED] Sent: Friday, September 13, 2002 2:20 AM To: debian-security@lists.debian.org Subject: Re: "suspicious" apache log entries ----- Original Message ----- From: "Geoff Crompton" <[EMAIL PROTECTED]> To: <debian-security@lists.debian.org> Sent: Friday, September 13, 2002 1:42 AM Subject: Re: "suspicious" apache log entries > I can see that sending an email is an approriate legal, and > responsible course of action. > However to make his servers beep, you still need to perform an illegal > act of cracking into his box. Regardless of what you intend to do when > you get in there, it is still unauthorized access to the computer. If > it is legal to crack a box for 'good' reasons, what do you think the > real crackers will say there were doing if they get caught? Ok, we had some posts saying that getting into someone's box and making some noise to get the admins attention is comparable with walking in someone house, sitting on the owners sofa and waiting / leaving a note on the wall to tell him someone broke in - both is illegal unauthorized access. Now that the owner is on holiday, his house is burning and my house is next to him I should call the fire brigade to at least protect my own house and the police - as I've seen someone who put the house on fire. Writing emails to them did work up to now and the owner is still not reachable too. The police is not interested - because there is a border between my house and the burning one. I should try to contact the police "over there". Right, its a bit stupid to use such comparison - but its somehow fun too. The person on holiday is just called "standard M$-certified admin". > Unless we could popularise running a 'alert-me-if-my-box-is-screwy' > daemon, which when it receives a message it beeps, displays a message, > and keeps beeping until an operator acks the message. Even ISPs do not really care about beeping boxed. When I carried my first holy 4U-server to my ISP last year, I was really shocked. Tons of beeping RAID-cards / power-supplies. They never would hear mine. And its really not a small ISP (I guess the smaller ones would be able to act properly). IMO the only proper solution would be to notify the person mentioned in the RIPE-handle / Domain-handle and hope that someone is going to react. Everything else is playing fire- policeman. Or some kind of self protection. > Cheers > Geoff best regards Andreas -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
