[TriLUG] OT: Finding/Notifying People with Worm-infested PC's

Aaron S. Joyner aaron at joyner.ws
Tue Apr 20 21:06:34 EDT 2004


Jaimie Livingston wrote:

>>On Tue, 2004-04-20 at 16:04, Jaimie Livingston wrote:
>>
>>    
>>
>>>I have a small web-server that I run at home for personal and development
>>>use, and I've been tagged by a few Worm-infested Windoze boxes, probably
>>>some home PCs that the users have running wide open on the Internet. I have
>>>the IP addresses, some from RR, and would like to find these people and let
>>>them know that they are doing the world a disservice by leaving an infected
>>>Windows box up and running, and maybe give them some pointers on how to
>>>prevent such a thing from happening. 
>>>
>>>      
>>>
>>All you can really do is forward the e-mail (with full headers) to the
>>appropriate abuse/postmaster addresses, which would be for example
>>abuse at nc.rr.com for RoadRunner customers.  Not sure it will 
>>do that much good but it's worth a try.  I don't really worry about it myself as
>>SpamAssassin seems to catch most of the worm e-mail that I get.
>>
>>--Jeremy
>>    
>>
>
>Except is not e-mail that's bugging me, it's the way Nimbda, CodeRed, and the WebDAV worms
>are cluttering my Apache logs. It's not a huge concern, but it is a pet peeve. Do you
>think the sending them excerpts from the logs will be of use? 
>
>Jaimie
>
>  
>

The appropriate way to find an abuse contact for a given IP address, is 
through whois.  To use my place of employment as an example, you can do:
whois 209.42.192.253
and the relevant part of the result is this:
OrgTechHandle: AD12-ORG-ARIN
OrgTechName:   Administrator
OrgTechPhone:  +1-919-406-1578
OrgTechEmail:  admin at intrex.net

At this point, you've discovered that the organization who owns that 
block of IP addresses (as it's registered with IANA) can be contacted 
via any of these methods.  Being the person on the other end of this 
abuse address, I can personally vouch that complaints of spam, worms, 
etc are dealt with in usually under 12 hours.  For us, it's a relatively 
infrequent amount of (actual abuse) submissions, something mild every 
few days (like Suzie Q. has a virus), something serious maybe every few 
weeks or so (like X company got lax with security and is being 
used/abused for <insert nefarious purpose here>).  Generally, you find 
that people on the other end of abuse contacts are either very helpful, 
or very over-worked.  But either way if you let them know, at the least 
they will usually let the end-user know.  Also keep in mind that who 
ever you contact needs to validate the legitimacy of your complaint.  
Forwarding logs is usually sufficient in the case of something like a 
virus.  If your making more serious allegations, prepare to provide 
reproducible proof of the problem (ala with compromised systems that 
need to be taken off line asap, etc).

There are automated systems out there that do reporting to abuse 
addresses.  The common example being something like SpamCop or any of 
the many Intrusion Detection honey-nets that alert abuse addresses when 
they get scanned by infected PCs running virus scanners.  As for 
automated systems you personally can run, I don't have any personal 
experience, but perhaps a googling or someone on the list can provide 
appropriate insight.

Aaron S. Joyner



More information about the TriLUG mailing list