[TriLUG] OT: Finding/Notifying People with Worm-infested PC's

[Magnus Hedemark]

On Tue, 20 Apr 2004, Jaimie Livingston wrote:

> So, what's the concensus on finding and/or notifying user/admins who have
> worm-infested PC's up on the Internet? 

It's often very hard.  Who do you notify?  You have an IP address that 
resolves to some giant broadband ISP's DHCP pool, and maybe the results of 
a nessus scan that show that the host that was trying to crack your box 
was actually a cracked box itself.

You can try emailing abuse@ but usually nothing comes of it.  The folks 
that read those emails often seem capable only of dealing with run of the 
mill spam.  Any time an incident report is provided that goes beyond that, 
it's a time sink that is ignored.

> I have a small web-server that I run at home for personal and development
> use, and I've been tagged by a few Worm-infested Windoze boxes, probably
> some home PCs that the users have running wide open on the Internet. I have
> the IP addresses, some from RR, and would like to find these people and let
> them know that they are doing the world a disservice by leaving an infected
> Windows box up and running, and maybe give them some pointers on how to
> prevent such a thing from happening. 

Good chance you'll get someone like my grandmother who doesn't know or 
care to know how to secure her system, and once she has your email address 
you'll never get out from under the crushing load of chain letters she'll 
forward your way.  The people who actually care are few and far between.