Online DB of IPs for Nimda worm infected machines

Wed Sep 19 16:22:52 UTC 2001

How frustrating this has all been. Concentric/XO, in their infinite wisdom,
has chosen to block port 80 requests. This means that anyone who is a
customer cannot get to your site. I suppose I should be grateful I can send
and receive email, but somehow I don't appreciate paying for access, when I
can't even check information via a search engine.

I would have liked to add IP addresses to your list, but instead am limited
to this offering. I have created a (large) file of the IP addresses that
have been hitting my small network on port 80. Most of these addresses will
be from 206.111.x.x, since that is where my network lies. Some are not.

If there is anyone out there from XO, I'd like to understand where I should
have sent this information, since sending it to abuse at concentric.net (last
Sun, 02 Sep 2001), didn't seem to make much difference (although I did get
a nice canned message). I especially hate the machine on the other end of
206.111.223.194, since it is close to 25% of my network traffic.

The file is currently at http://www.deaddrop.org/raw.hits and contains a
lot of duplicates. I've given them a fake ending IP, and associated the
host name, for my own purposes later (I find it interesting that the little
laptop running obsd and portsentry gets hit harder than any of the other
machines, for example). If your machine is in that list, take it off the
net, and wipe the disk. Enough.

If you are concentric/XO, explain to me why you blocked port 80 (and are
still blocking, even though you claim not to be), instead of responding to
valid complaints of code red infected machines from myself and others. It's
going to be a long day (week, month, year, whatever).

--
I've seen things you people wouldn't believe.
Attack ships on fire off the shoulder of Orion.
I watched C-beams glitter in the dark near the Tannhauser gate.
All those moments will be lost in time, like tears in rain.
Time to die.		 Roy Batty, Blade Runner