[TriLUG] OT: Finding/Notifying People with Worm-infested PC's
Aaron S. Joyner
aaron at joyner.ws
Tue Apr 20 21:06:34 EDT 2004
Jaimie Livingston wrote:
>>On Tue, 2004-04-20 at 16:04, Jaimie Livingston wrote:
>>
>>
>>
>>>I have a small web-server that I run at home for personal and development
>>>use, and I've been tagged by a few Worm-infested Windoze boxes, probably
>>>some home PCs that the users have running wide open on the Internet. I have
>>>the IP addresses, some from RR, and would like to find these people and let
>>>them know that they are doing the world a disservice by leaving an infected
>>>Windows box up and running, and maybe give them some pointers on how to
>>>prevent such a thing from happening.
>>>
>>>
>>>
>>All you can really do is forward the e-mail (with full headers) to the
>>appropriate abuse/postmaster addresses, which would be for example
>>abuse at nc.rr.com for RoadRunner customers. Not sure it will
>>do that much good but it's worth a try. I don't really worry about it myself as
>>SpamAssassin seems to catch most of the worm e-mail that I get.
>>
>>--Jeremy
>>
>>
>
>Except is not e-mail that's bugging me, it's the way Nimbda, CodeRed, and the WebDAV worms
>are cluttering my Apache logs. It's not a huge concern, but it is a pet peeve. Do you
>think the sending them excerpts from the logs will be of use?
>
>Jaimie
>
>
>
The appropriate way to find an abuse contact for a given IP address, is
through whois. To use my place of employment as an example, you can do:
whois 209.42.192.253
and the relevant part of the result is this:
OrgTechHandle: AD12-ORG-ARIN
OrgTechName: Administrator
OrgTechPhone: +1-919-406-1578
OrgTechEmail: admin at intrex.net
At this point, you've discovered that the organization who owns that
block of IP addresses (as it's registered with IANA) can be contacted
via any of these methods. Being the person on the other end of this
abuse address, I can personally vouch that complaints of spam, worms,
etc are dealt with in usually under 12 hours. For us, it's a relatively
infrequent amount of (actual abuse) submissions, something mild every
few days (like Suzie Q. has a virus), something serious maybe every few
weeks or so (like X company got lax with security and is being
used/abused for <insert nefarious purpose here>). Generally, you find
that people on the other end of abuse contacts are either very helpful,
or very over-worked. But either way if you let them know, at the least
they will usually let the end-user know. Also keep in mind that who
ever you contact needs to validate the legitimacy of your complaint.
Forwarding logs is usually sufficient in the case of something like a
virus. If your making more serious allegations, prepare to provide
reproducible proof of the problem (ala with compromised systems that
need to be taken off line asap, etc).
There are automated systems out there that do reporting to abuse
addresses. The common example being something like SpamCop or any of
the many Intrusion Detection honey-nets that alert abuse addresses when
they get scanned by infected PCs running virus scanners. As for
automated systems you personally can run, I don't have any personal
experience, but perhaps a googling or someone on the list can provide
appropriate insight.
Aaron S. Joyner
More information about the TriLUG
mailing list