Infected PC somehwere - how can I let them know

Posted by: Shonky

Infected PC somehwere - how can I let them know - 24/11/2004 08:48

There's a PC out there somewhere in the internet (well I know in Australia at least), that's infected with a virus. It's sending masses of emails to us and no doubtedly to many others.

In the spirit of trying to help, how could I let the user know they are infected? It's a dynamic IP, but starts at least once a day from the same ISP. e.g. I now know it's current IP address.

I tried to net send, but that seems to not work. I thought it was NetBeui only anyway apparently it's TCP.

Any suggestions? Normally I'd let it slide, but this is beyond a joke now - it's been going on for a month and just recently it seems to have acquired the I-Worm.Bagle.au as well.

All I want to do is get a message to them that they are infected. Although that would look like a scam to me, this person obviously has no clue and would probably do what I tell them.
Posted by: furtive

Re: Infected PC somehwere - how can I let them know - 24/11/2004 08:49

Contact their ISP?
Posted by: Shonky

Re: Infected PC somehwere - how can I let them know - 24/11/2004 08:53

Yeah forgot to mention I tried that. They didn't want to know.

nmap gave me this:

25/tcp filtered smtp
80/tcp open http
81/tcp open hosts2-ns
111/tcp filtered sunrpc
135/tcp filtered loc-srv
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
161/tcp filtered snmp
162/tcp filtered snmptrap
445/tcp filtered microsoft-ds
593/tcp filtered http-rpc-epmap
635/tcp filtered unknown
1025/tcp open listen
1026/tcp open nterm
3128/tcp filtered squid-http
5000/tcp open fics
6667/tcp filtered irc

Interesting port 25 is filtered. Can't work out what's on port 80 and 81 though.

Just my challenge task for the day
Posted by: Cybjorg

Re: Infected PC somehwere - how can I let them know - 24/11/2004 10:50

Hmmm, what are the contents of the message? For several weeks I was getting 4-5 virus-laden messages from [email protected] (Blue Cross Blue Shield of Tennessee). I wasn't sure if it was legitimately coming from them or if the address was spoofed.
Posted by: Shonky

Re: Infected PC somehwere - how can I let them know - 24/11/2004 10:58

Don't know exactly since my email server removes virii from emails. It's definitely spoofing email addresses though because I can see from the header it's coming from the the same IP address, but the sender address changes.

Almost all email virii these days are spoofed using addresses stolen from the user's address book.
Posted by: hybrid8

Re: Infected PC somehwere - how can I let them know - 24/11/2004 12:14

If you can't find the user specificaly, make the ISP *want* to know. Go to their upstream provider and tell them the ISP is willingly letting a mail attack propagate. When they get their service cut off, they'll care.

Bruno
Posted by: ashmoore

Re: Infected PC somehwere - how can I let them know - 24/11/2004 14:22

we had a similar problem a few months ago except we were being Joe Jobbed, with 30% of the mails coming from verifiable Comcast addresses.
In the end we had around 200-300K emails and our external mail system was crawling for a few days.
So far Comcast have yet to reply to our requests.

All it means for us is that next time it happens, we just drop anything from the comcast subnets.
Posted by: tfabris

Re: Infected PC somehwere - how can I let them know - 24/11/2004 15:36

Quote:
In the spirit of trying to help, how could I let the user know they are infected?

In my experience, trying to do this is a self-defeating waste of time. Just make sure your own systems are hardened against viruses and virus emails, and just ignore them.
Posted by: Daria

Re: Infected PC somehwere - how can I let them know - 24/11/2004 16:44

You might get lucky searching for the hostname or IP address in google and getting a real email address, but in general it's useless.
Posted by: FireFox31

Re: Infected PC somehwere - how can I let them know - 24/11/2004 21:56

Seriously, there has to be a way to get these ISPs to care. The ISPs seem like such a single point of success for blocking so much of the malicious traffic that's coming from zombie home user DSL/cable connected PCs.

Why can't they block SMTP on their residential user subnets? Are home users really allowed to "run mail servers"? And why leave open 135, 137, 445, etc. Couldn't these ports be "open by request to ISP" instead? Would make it more labor intensive for malicious users to harass the world.

If ISPs were just good neighbors and instituted some reasonable policies, it would help to squash the spam-sending, viri-propogating, DDoS-running zombie organized crime botnets taking advantage of every insecure XP Home connected to a nonfirewalled Cable modem.

(and, within the last week or so, IPs in austrailia sent me at least two highly targeted phishing e-mails to my consumer DSL e-mail address)
Posted by: robricc

Re: Infected PC somehwere - how can I let them know - 24/11/2004 21:59

Quote:
Are home users really allowed to "run mail servers"?

I used to run a mail server over 56k, then DSL. You're not supposed to, but I probably wouldn't appreciate an ISP that actively stopped me from doing it.
Posted by: wfaulk

Re: Infected PC somehwere - how can I let them know - 24/11/2004 22:18

My ISP explicitly allows this. I would be pissed off if they changed their policy, as it's a large reason I chose them. I don't want someone playing mother hen. I know how to run my own computers and network, thanks. On the other hand, it might make sense for the AOL-type ISPs out there to block this sort of stuff, at least by default.
Posted by: Shonky

Re: Infected PC somehwere - how can I let them know - 24/11/2004 22:23

Ditto Rob. I run a mail server on a dynamic IP cable modem. Acceptable Use Policy doesn't say I can't. They were talking about blocking port 25 outbound which would stop this problem (different ISP though to the one in question) but as far as I am aware they haven't yet.

I think however they should block by default and then allow users to request ports be opened. That would at least stop the majority of the problem IMO. Some ISPs do that here already.

I'd also be pissed off if they blocked incoming ports since I run a webserver and SMTP server. An outgoing block on 25 is no big deal - I already send all mail via the ISPs mail server anyway.
Posted by: wfaulk

Re: Infected PC somehwere - how can I let them know - 24/11/2004 22:31

I don't. All mail is sent to my mail server which does the right thing with it. I suppose I could set up my ISP's mail server as a smarthost, but why?
Posted by: robricc

Re: Infected PC somehwere - how can I let them know - 24/11/2004 22:31

When I had Verizon DSL, it was in the TOS that servers not be run on your line. There was nothing they did to stop it though. We have Verizon Business DSL at the office and anything goes there.

I remember having an issue with one of my ISPs about running something over port 80. I think it was Verizon DSL. I really can't remember though. That was just plain stupid because almost anyone savvy enough to run a webserver at home can figure out how to make it listen on another port.

My parents have Optimum Online and you can only use optonline.net to send outgoing mail. Any other traffic on port 25 just hangs there. That's not horrible, but I don't like it.
Posted by: FireFox31

Re: Infected PC somehwere - how can I let them know - 24/11/2004 22:34

Quote:
I'd also be pissed off the they blocked incoming ports

Right, no need for that. Just make outgoing ports open by request only. Shouldn't be too hard for Cable modems since they seem to be MAC address driven. DSL on the other hand... By PPPoE username/password, I guess.
Posted by: andy

Re: Infected PC somehwere - how can I let them know - 25/11/2004 09:20

Quote:
Any other traffic on port 25 just hangs there. That's not horrible, but I don't like it.


One of the UK ISPs transparently forwards all out going traffic on port 25 to their own smart hosts. If you are going to stop direct port 25 connects to the rest of the world this seems like a better way to do it.

I will soon have two DSL connections, one 512/256 from an ISP that encourages people to have a "full" Internet connection (they gave me 32 IP address without a fight) and one 2048/256 from an ISP that does cheap high speed connections. So my servers will have one line and we get to surf on the other one...

...and all for half the price that my old 1024/256 line used to cost.
Posted by: Roger

Re: Infected PC somehwere - how can I let them know - 25/11/2004 09:20

Quote:
Just make outgoing ports open by request only.


But that adds administration cost, meaning that prices go up. Smaller ISPs should frankly just block incoming/outgoing SMTP, and you should use their host.

If you have a problem with that, pay extra for a bigger ISP, or for a business tariff. I pay for the business tariff on my DSL line, which means that I am explicitly allowed to run servers.