Destructive botnet originating from Japan

• Previous message (by thread): Destructive botnet originating from Japan
• Next message (by thread): Destructive botnet originating from Japan
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

(jon I know you didn't say, but the original must have got nailed in my spam filters)

The best thing about this statement is that since I don't report to nanog nsp-sec, or Tyler Durden,   the first rule of fight club can kiss my arse.

But then again, this really isn't NANOG's business now is it? Or is it?

Happy Christmas folks!

:)


Marty



 -----Original Message-----
From: 	Jon Lewis [mailto:jlewis at lewis.org]
Sent:	Sun Dec 25 17:37:57 2005
To:	blyon at prolexic.com
Cc:	NANOG
Subject:	Re: Destructive botnet originating from Japan


On Sun, 25 Dec 2005, Rubens Kuhl Jr. wrote:

> The first rule of nsp-sec is, you do not talk about nsp-sec
> The second rule of nsp-sec is, you DO NOT talk about nsp-sec

https://puck.nether.net/mailman/listinfo/nsp-security

There's nothing secret about the existence or purpose of the list.

I don't know enough about Barrett to guess as to whether or not he'd 
qualify.

Also, I was considering emailing Barrett privately, but since there seems 
to be so much misinformation going around, others will probably benefit 
from this.  If you want to send out list of IPs suspected of being bots or 
really any other class of insecure/0wn3d systems, to make it easier for 
those who care to find their IPs in your list, run it through the Team 
Cymru whois server first.

http://www.cymru.com/BGP/whois.html

Then sort the list numerically by ASN.  That way, people can scroll 
through it, or search by ASN, and quickly determine if there's any further 
action worth taking.

It's also a really good idea to include timestamps, ideally exact ones in 
GMT per IP.  In this case (unix bots) it's not as likely, but typical 
windows bots frequently show up on end-user systems with dynamic IPs. 
Telling me one of my dial pool IPs was a bot "recently" is not as useful 
as telling me it was a bot 2005-12-25 02:30:45 GMT.

----------------------------------------------------------------------
  Jon Lewis                   |  I route
  Senior Network Engineer     |  therefore you are
  Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20051225/e6edad0c/attachment.html>

• Previous message (by thread): Destructive botnet originating from Japan
• Next message (by thread): Destructive botnet originating from Japan
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]