Establishing A Nimda Virus Log File Pool?

Elsifer asks: "Can we get a listing of peoples log files so that NIPC an CERT authorities can disseminate these to try and track down the origins? ... I have modified my home website (on @home, where it seems that most of the infectious attacks are originating) to display my log files up to 1045MST." This sounds like a good way to consolidate information -- does anyone know of an existing site to do just this, or want to establish one?

how about a redirector to the collection agent?

[apachetoolbox]

It could be as simple as adding ...

RedirectMatch (.*)\cmd.exe$ http://www.sitecollectingdata.com/collector/index. php
RedirectMatch (.*)\root.exe$ http://www.sitecollectingdata.com/collector/index. php
RedirectMatch (.*)\default.ida$ http://www.sitecollectingdata.com/collector/index. php

.. and having the collector throw the data in an SQL database...

Re:how about a redirector to the collection agent?

[Asgard]

I doubt the worm fill follow redirects.

Re:how about a redirector to the collection agent?

[sharkey]

So will that work on MS SQL Server 6.5, or will I need to use MS SQL Server 7 or 2000? Does it have to on a separate PC from IIS, or can I just leave it on my IIS PC so it can record the worm as it goes out, too?

I am using the 'sa' with blank password, will that work?

log analysis sites

[rakerman]

DShield.org and SANS Incidents are a couple sites that come to mind.

Jungnickel.com

[Asgard]

http://worm.jungnickel.com/ also does this; it works with the segfault-prone CodeBlue apache log scanner.

Doesn't work

[babbage]

404 Not Found. Actually the domain isn't even found.
nyuk nyuk nyuk

Less kiddingly, I've written a couple of scripts to let me know how much we're getting hit (something like 20,000 accesses on the two servers I have access to) and where the hits are coming in from, sorted by frequency of hits. If someone is collecting the data I can extract whatever seems relevant and pass it along as part of the same script (...or at least I can next week).