From: Russ (Russ.CooperRC.ON.CA)
Date: Thu Oct 02 2003 - 11:45:57 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I've been asked several times why I wouldn't share the offending IP address initially.

My thinking was;

EV1.NET is a hosting provider, an IP within their netblock might be a single customer, or thousands. Providing the IP address would likely have resulted in many people blocking it, possibly harming future/current users of that IP address (because when would you remove the blocking?) Temporarily blocking all of EV1.NET would more likely result in the block being removed at a later date (e.g. after it was confirmed they had taken the site down.) If EV1.NET wanted to step up and identify the IP to people victimized by one of their customers, or, by someone who has hacked one of their customers, that was their call.

Also, stating it would likely have caused many to go to it, this has been my experience in the past. No need to start pointing a bunch of people at malicious code.

Finally, blocking access to it isn't the solution. There have been other such attacks in the past few months, involving different addresses, different URLs, different providers. Do we block them all? Some would say yes, but the friend with the baby pictures sure doesn't want to have someone's web proxy throwing up flags (well, I guess it depends on how cute the baby is...;-])

Anyway, I waited until both were benign, then published. Seemed prudent to me.

Cheers,
Russ - NTBugtraq Editor

-----
Wondering as to whether the list is running? The NTBugtraq archives are
updated first before messages are emailed to subscribers. Check the
archives first to see if you have missed any messages;

http://www.ntbugtraq.com/archives

-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]