Destructive botnet originating from Japan
Jon Lewis
jlewis at lewis.org
Sun Dec 25 22:36:27 UTC 2005
On Sun, 25 Dec 2005, Rubens Kuhl Jr. wrote:
> The first rule of nsp-sec is, you do not talk about nsp-sec
> The second rule of nsp-sec is, you DO NOT talk about nsp-sec
https://puck.nether.net/mailman/listinfo/nsp-security
There's nothing secret about the existence or purpose of the list.
I don't know enough about Barrett to guess as to whether or not he'd
qualify.
Also, I was considering emailing Barrett privately, but since there seems
to be so much misinformation going around, others will probably benefit
from this. If you want to send out list of IPs suspected of being bots or
really any other class of insecure/0wn3d systems, to make it easier for
those who care to find their IPs in your list, run it through the Team
Cymru whois server first.
http://www.cymru.com/BGP/whois.html
Then sort the list numerically by ASN. That way, people can scroll
through it, or search by ASN, and quickly determine if there's any further
action worth taking.
It's also a really good idea to include timestamps, ideally exact ones in
GMT per IP. In this case (unix bots) it's not as likely, but typical
windows bots frequently show up on end-user systems with dynamic IPs.
Telling me one of my dial pool IPs was a bot "recently" is not as useful
as telling me it was a bot 2005-12-25 02:30:45 GMT.
----------------------------------------------------------------------
Jon Lewis | I route
Senior Network Engineer | therefore you are
Atlantic Net |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
More information about the NANOG
mailing list