Hello, at: http://seven.alameda.net/~ulf/nimda/ I put a page to search for infected IPs. This is the first version. Currently I put IPs into it which probed me before about 2pm PDT. I got email from 2 people who sent me their IPs, which I am going to add when they ok it. You can right now search by SQL for IPs like: 64.81.% This will display all IPs which probed me starting with 64.81. Things I am adding in the next minutes is so that people can submit them self single IPs or bulk list. -- Regards, Ulf. --------------------------------------------------------------------- Ulf Zimmermann, 1525 Pacific Ave., Alameda, CA-94501, #: 510-865-0204
Please list probe time also. Dynamic IPs can only be traced to the actual infected user with a time stamp. Rubens Kuhl Jr.
http://seven.alameda.net/~ulf/nimda/
I put a page to search for infected IPs. This is the first version. Currently I put IPs into it which probed me before about 2pm PDT. I got email from 2 people who sent me their IPs, which I am going to add when they ok it.
You can right now search by SQL for IPs like: 64.81.% This will display all IPs which probed me starting with 64.81.
Things I am adding in the next minutes is so that people can submit them self single IPs or bulk list.
Yes! ...and accurate (ntpsynch'd) times, too, please. I just got a nimda warning from secmbox3+nimda@UU.NET for a dynamic IP with a GMT/UTC timestamp that doesn't correspond to any connections, but is close enough to one that I *think* I know which user it is. I'm also concerned about auto-blackholing/blocking dynamic IPs... On Tue, 18 Sep 2001, Rubens Kuhl Jr. wrote:
Please list probe time also. Dynamic IPs can only be traced to the actual infected user with a time stamp.
Rubens Kuhl Jr.
http://seven.alameda.net/~ulf/nimda/
I put a page to search for infected IPs. This is the first version. Currently I put IPs into it which probed me before about 2pm PDT. I got email from 2 people who sent me their IPs, which I am going to add when they ok it.
You can right now search by SQL for IPs like: 64.81.% This will display all IPs which probed me starting with 64.81.
Things I am adding in the next minutes is so that people can submit them self single IPs or bulk list.
James Smallacombe PlantageNet, Inc. CEO and Janitor up@3.am http://3.am =========================================================================
On Tue, Sep 18, 2001 at 07:44:44PM -0300, Rubens Kuhl Jr. wrote:
Please list probe time also. Dynamic IPs can only be traced to the actual infected user with a time stamp.
Valid point. Hmmm, let me rearchitect this a bit to be able to track that.
Rubens Kuhl Jr.
http://seven.alameda.net/~ulf/nimda/
I put a page to search for infected IPs. This is the first version. Currently I put IPs into it which probed me before about 2pm PDT. I got email from 2 people who sent me their IPs, which I am going to add when they ok it.
You can right now search by SQL for IPs like: 64.81.% This will display all IPs which probed me starting with 64.81.
Things I am adding in the next minutes is so that people can submit them self single IPs or bulk list.
-- Regards, Ulf. --------------------------------------------------------------------- Ulf Zimmermann, 1525 Pacific Ave., Alameda, CA-94501, #: 510-865-0204
That is a handy feature however, you should also see your local users scanning your own ip block as well. So a simple check of your web server log directly will isolate the infected user complete with time stamps. The following utility will do it for you if you want to check for just your local ip blocks you would use: #!/usr/bin/perl open (HTFILE, "/path/to/your/logs/access_log"); until (eof (HTFILE)) { $line =<HTFILE>; chop ($line); if ($line =~ /.*\/winnt\/system32\/.*/) { if ($line =~ /.*yourdomain.com.*/) { print "$line\n"; } } } --- Bill Larson Network Administrator Compu-Net Enterprises ----- Original Message ----- From: "Ulf Zimmermann" <ulf@Alameda.net> To: "Rubens Kuhl Jr." <rkuhljr@uol.com.br> Cc: <ulf@Alameda.net>; <nanog@nanog.org> Sent: Tuesday, September 18, 2001 7:06 PM Subject: Re: Online DB of IPs for Nimda worm infected machines
On Tue, Sep 18, 2001 at 07:44:44PM -0300, Rubens Kuhl Jr. wrote:
Please list probe time also. Dynamic IPs can only be traced to the
actual
infected user with a time stamp.
Valid point. Hmmm, let me rearchitect this a bit to be able to track that.
Rubens Kuhl Jr.
http://seven.alameda.net/~ulf/nimda/
I put a page to search for infected IPs. This is the first version. Currently I put IPs into it which probed me before about 2pm PDT. I got email from 2 people who sent me their IPs, which I am going to add when they ok it.
You can right now search by SQL for IPs like: 64.81.% This will display all IPs which probed me starting with 64.81.
Things I am adding in the next minutes is so that people can submit them self single IPs or bulk list.
-- Regards, Ulf.
--------------------------------------------------------------------- Ulf Zimmermann, 1525 Pacific Ave., Alameda, CA-94501, #: 510-865-0204
On Tue, Sep 18, 2001 at 03:18:01PM -0700, Ulf Zimmermann wrote:
Hello,
at:
http://seven.alameda.net/~ulf/nimda/
I put a page to search for infected IPs. This is the first version. Currently I put IPs into it which probed me before about 2pm PDT. I got email from 2 people who sent me their IPs, which I am going to add when they ok it.
You can right now search by SQL for IPs like: 64.81.% This will display all IPs which probed me starting with 64.81.
Things I am adding in the next minutes is so that people can submit them self single IPs or bulk list.
-- Regards, Ulf.
--------------------------------------------------------------------- Ulf Zimmermann, 1525 Pacific Ave., Alameda, CA-94501, #: 510-865-0204
Script now includes a way to add IPs. If you do not want to list your email address, send me the list and I will add it with an anon tag but keep a copy who sent it to me. -- Regards, Ulf. --------------------------------------------------------------------- Ulf Zimmermann, 1525 Pacific Ave., Alameda, CA-94501, #: 510-865-0204
Version 3 online now. You can enter into the text area an IP per line or if you want to submit the logdate from your webserver logs, then you can enter IP,date. Example: 10.10.10.10 or 10.10.10.10,18/Sep/2001:17:50:41 -0700 I also removed my entries and readded the ones by grabbing for grep -i /msadc/ This will add hosts several times, but as someone pointed out, a dynamic IP can change and it could be a different host each time. I am going to add in a moment my log entries from my @Home segment. -- Regards, Ulf. --------------------------------------------------------------------- Ulf Zimmermann, 1525 Pacific Ave., Alameda, CA-94501, #: 510-865-0204
How frustrating this has all been. Concentric/XO, in their infinite wisdom, has chosen to block port 80 requests. This means that anyone who is a customer cannot get to your site. I suppose I should be grateful I can send and receive email, but somehow I don't appreciate paying for access, when I can't even check information via a search engine. I would have liked to add IP addresses to your list, but instead am limited to this offering. I have created a (large) file of the IP addresses that have been hitting my small network on port 80. Most of these addresses will be from 206.111.x.x, since that is where my network lies. Some are not. If there is anyone out there from XO, I'd like to understand where I should have sent this information, since sending it to abuse@concentric.net (last Sun, 02 Sep 2001), didn't seem to make much difference (although I did get a nice canned message). I especially hate the machine on the other end of 206.111.223.194, since it is close to 25% of my network traffic. The file is currently at http://www.deaddrop.org/raw.hits and contains a lot of duplicates. I've given them a fake ending IP, and associated the host name, for my own purposes later (I find it interesting that the little laptop running obsd and portsentry gets hit harder than any of the other machines, for example). If your machine is in that list, take it off the net, and wipe the disk. Enough. If you are concentric/XO, explain to me why you blocked port 80 (and are still blocking, even though you claim not to be), instead of responding to valid complaints of code red infected machines from myself and others. It's going to be a long day (week, month, year, whatever). -- I've seen things you people wouldn't believe. Attack ships on fire off the shoulder of Orion. I watched C-beams glitter in the dark near the Tannhauser gate. All those moments will be lost in time, like tears in rain. Time to die. Roy Batty, Blade Runner
participants (5)
-
Bill Larson
-
Etaoin Shrdlu
-
Rubens Kuhl Jr.
-
Ulf Zimmermann
-
up@3.am