Unoffical empeg BBS

Quick Links: Empeg FAQ | RioCar.Org | Hijack | BigDisk Builder | jEmplode | emphatic
Repairs: Repairs

Topic Options
#242499 - 24/11/2004 08:48 Infected PC somehwere - how can I let them know
Shonky
pooh-bah

Registered: 12/01/2002
Posts: 2009
Loc: Brisbane, Australia
There's a PC out there somewhere in the internet (well I know in Australia at least), that's infected with a virus. It's sending masses of emails to us and no doubtedly to many others.

In the spirit of trying to help, how could I let the user know they are infected? It's a dynamic IP, but starts at least once a day from the same ISP. e.g. I now know it's current IP address.

I tried to net send, but that seems to not work. I thought it was NetBeui only anyway apparently it's TCP.

Any suggestions? Normally I'd let it slide, but this is beyond a joke now - it's been going on for a month and just recently it seems to have acquired the I-Worm.Bagle.au as well.

All I want to do is get a message to them that they are infected. Although that would look like a scam to me, this person obviously has no clue and would probably do what I tell them.
_________________________
Christian
#40104192 120Gb (no longer in my E36 M3, won't fit the E46 M3)

Top
#242500 - 24/11/2004 08:49 Re: Infected PC somehwere - how can I let them know [Re: Shonky]
furtive
old hand

Registered: 14/08/2001
Posts: 886
Loc: London, UK
Contact their ISP?
_________________________
Mk2a RioCar 120Gb - now sold to the owner of my old car
Rio Karma - now on ebay...

Top
#242501 - 24/11/2004 08:53 Re: Infected PC somehwere - how can I let them know [Re: furtive]
Shonky
pooh-bah

Registered: 12/01/2002
Posts: 2009
Loc: Brisbane, Australia
Yeah forgot to mention I tried that. They didn't want to know.

nmap gave me this:

25/tcp filtered smtp
80/tcp open http
81/tcp open hosts2-ns
111/tcp filtered sunrpc
135/tcp filtered loc-srv
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
161/tcp filtered snmp
162/tcp filtered snmptrap
445/tcp filtered microsoft-ds
593/tcp filtered http-rpc-epmap
635/tcp filtered unknown
1025/tcp open listen
1026/tcp open nterm
3128/tcp filtered squid-http
5000/tcp open fics
6667/tcp filtered irc

Interesting port 25 is filtered. Can't work out what's on port 80 and 81 though.

Just my challenge task for the day
_________________________
Christian
#40104192 120Gb (no longer in my E36 M3, won't fit the E46 M3)

Top
#242502 - 24/11/2004 10:50 Re: Infected PC somehwere - how can I let them know [Re: Shonky]
Cybjorg
addict

Registered: 23/12/2002
Posts: 652
Loc: Winston Salem, NC
Hmmm, what are the contents of the message? For several weeks I was getting 4-5 virus-laden messages from [email protected] (Blue Cross Blue Shield of Tennessee). I wasn't sure if it was legitimately coming from them or if the address was spoofed.

Top
#242503 - 24/11/2004 10:58 Re: Infected PC somehwere - how can I let them know [Re: Cybjorg]
Shonky
pooh-bah

Registered: 12/01/2002
Posts: 2009
Loc: Brisbane, Australia
Don't know exactly since my email server removes virii from emails. It's definitely spoofing email addresses though because I can see from the header it's coming from the the same IP address, but the sender address changes.

Almost all email virii these days are spoofed using addresses stolen from the user's address book.
_________________________
Christian
#40104192 120Gb (no longer in my E36 M3, won't fit the E46 M3)

Top
#242504 - 24/11/2004 12:14 Re: Infected PC somehwere - how can I let them know [Re: Shonky]
hybrid8
carpal tunnel

Registered: 12/11/2001
Posts: 7738
Loc: Toronto, CANADA
If you can't find the user specificaly, make the ISP *want* to know. Go to their upstream provider and tell them the ISP is willingly letting a mail attack propagate. When they get their service cut off, they'll care.

Bruno
_________________________
Bruno
Twisted Melon : Fine Mac OS Software

Top
#242505 - 24/11/2004 14:22 Re: Infected PC somehwere - how can I let them know [Re: hybrid8]
ashmoore
addict

Registered: 24/08/1999
Posts: 564
Loc: TX
we had a similar problem a few months ago except we were being Joe Jobbed, with 30% of the mails coming from verifiable Comcast addresses.
In the end we had around 200-300K emails and our external mail system was crawling for a few days.
So far Comcast have yet to reply to our requests.

All it means for us is that next time it happens, we just drop anything from the comcast subnets.
_________________________
========================== the chewtoy for the dog of Life

Top
#242506 - 24/11/2004 15:36 Re: Infected PC somehwere - how can I let them know [Re: Shonky]
tfabris
carpal tunnel

Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
Quote:
In the spirit of trying to help, how could I let the user know they are infected?

In my experience, trying to do this is a self-defeating waste of time. Just make sure your own systems are hardened against viruses and virus emails, and just ignore them.
_________________________
Tony Fabris

Top
#242507 - 24/11/2004 16:44 Re: Infected PC somehwere - how can I let them know [Re: tfabris]
Daria
carpal tunnel

Registered: 24/01/2002
Posts: 3937
Loc: Providence, RI
You might get lucky searching for the hostname or IP address in google and getting a real email address, but in general it's useless.

Top
#242508 - 24/11/2004 21:56 Re: Infected PC somehwere - how can I let them know [Re: hybrid8]
FireFox31
pooh-bah

Registered: 19/09/2002
Posts: 2494
Loc: East Coast, USA
Seriously, there has to be a way to get these ISPs to care. The ISPs seem like such a single point of success for blocking so much of the malicious traffic that's coming from zombie home user DSL/cable connected PCs.

Why can't they block SMTP on their residential user subnets? Are home users really allowed to "run mail servers"? And why leave open 135, 137, 445, etc. Couldn't these ports be "open by request to ISP" instead? Would make it more labor intensive for malicious users to harass the world.

If ISPs were just good neighbors and instituted some reasonable policies, it would help to squash the spam-sending, viri-propogating, DDoS-running zombie organized crime botnets taking advantage of every insecure XP Home connected to a nonfirewalled Cable modem.

(and, within the last week or so, IPs in austrailia sent me at least two highly targeted phishing e-mails to my consumer DSL e-mail address)
_________________________
-
FireFox31
110gig MKIIa (30+80), Eutronix lights, 32 meg stacked RAM, Filener orange gel lens, Greenlights Lit Buttons green set

Top
#242509 - 24/11/2004 21:59 Re: Infected PC somehwere - how can I let them know [Re: FireFox31]
robricc
carpal tunnel

Registered: 30/10/2000
Posts: 4931
Loc: New Jersey, USA
Quote:
Are home users really allowed to "run mail servers"?

I used to run a mail server over 56k, then DSL. You're not supposed to, but I probably wouldn't appreciate an ISP that actively stopped me from doing it.
_________________________
-Rob Riccardelli
80GB 16MB MK2 090000736

Top
#242510 - 24/11/2004 22:18 Re: Infected PC somehwere - how can I let them know [Re: robricc]
wfaulk
carpal tunnel

Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
My ISP explicitly allows this. I would be pissed off if they changed their policy, as it's a large reason I chose them. I don't want someone playing mother hen. I know how to run my own computers and network, thanks. On the other hand, it might make sense for the AOL-type ISPs out there to block this sort of stuff, at least by default.
_________________________
Bitt Faulk

Top
#242511 - 24/11/2004 22:23 Re: Infected PC somehwere - how can I let them know [Re: robricc]
Shonky
pooh-bah

Registered: 12/01/2002
Posts: 2009
Loc: Brisbane, Australia
Ditto Rob. I run a mail server on a dynamic IP cable modem. Acceptable Use Policy doesn't say I can't. They were talking about blocking port 25 outbound which would stop this problem (different ISP though to the one in question) but as far as I am aware they haven't yet.

I think however they should block by default and then allow users to request ports be opened. That would at least stop the majority of the problem IMO. Some ISPs do that here already.

I'd also be pissed off if they blocked incoming ports since I run a webserver and SMTP server. An outgoing block on 25 is no big deal - I already send all mail via the ISPs mail server anyway.
_________________________
Christian
#40104192 120Gb (no longer in my E36 M3, won't fit the E46 M3)

Top
#242512 - 24/11/2004 22:31 Re: Infected PC somehwere - how can I let them know [Re: Shonky]
wfaulk
carpal tunnel

Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
I don't. All mail is sent to my mail server which does the right thing with it. I suppose I could set up my ISP's mail server as a smarthost, but why?
_________________________
Bitt Faulk

Top
#242513 - 24/11/2004 22:31 Re: Infected PC somehwere - how can I let them know [Re: wfaulk]
robricc
carpal tunnel

Registered: 30/10/2000
Posts: 4931
Loc: New Jersey, USA
When I had Verizon DSL, it was in the TOS that servers not be run on your line. There was nothing they did to stop it though. We have Verizon Business DSL at the office and anything goes there.

I remember having an issue with one of my ISPs about running something over port 80. I think it was Verizon DSL. I really can't remember though. That was just plain stupid because almost anyone savvy enough to run a webserver at home can figure out how to make it listen on another port.

My parents have Optimum Online and you can only use optonline.net to send outgoing mail. Any other traffic on port 25 just hangs there. That's not horrible, but I don't like it.
_________________________
-Rob Riccardelli
80GB 16MB MK2 090000736

Top
#242514 - 24/11/2004 22:34 Re: Infected PC somehwere - how can I let them know [Re: Shonky]
FireFox31
pooh-bah

Registered: 19/09/2002
Posts: 2494
Loc: East Coast, USA
Quote:
I'd also be pissed off the they blocked incoming ports

Right, no need for that. Just make outgoing ports open by request only. Shouldn't be too hard for Cable modems since they seem to be MAC address driven. DSL on the other hand... By PPPoE username/password, I guess.
_________________________
-
FireFox31
110gig MKIIa (30+80), Eutronix lights, 32 meg stacked RAM, Filener orange gel lens, Greenlights Lit Buttons green set

Top
#242515 - 25/11/2004 09:20 Re: Infected PC somehwere - how can I let them know [Re: robricc]
andy
carpal tunnel

Registered: 10/06/1999
Posts: 5916
Loc: Wivenhoe, Essex, UK
Quote:
Any other traffic on port 25 just hangs there. That's not horrible, but I don't like it.


One of the UK ISPs transparently forwards all out going traffic on port 25 to their own smart hosts. If you are going to stop direct port 25 connects to the rest of the world this seems like a better way to do it.

I will soon have two DSL connections, one 512/256 from an ISP that encourages people to have a "full" Internet connection (they gave me 32 IP address without a fight) and one 2048/256 from an ISP that does cheap high speed connections. So my servers will have one line and we get to surf on the other one...

...and all for half the price that my old 1024/256 line used to cost.
_________________________
Remind me to change my signature to something more interesting someday

Top
#242516 - 25/11/2004 09:20 Re: Infected PC somehwere - how can I let them know [Re: FireFox31]
Roger
carpal tunnel

Registered: 18/01/2000
Posts: 5683
Loc: London, UK
Quote:
Just make outgoing ports open by request only.


But that adds administration cost, meaning that prices go up. Smaller ISPs should frankly just block incoming/outgoing SMTP, and you should use their host.

If you have a problem with that, pay extra for a bigger ISP, or for a business tariff. I pay for the business tariff on my DSL line, which means that I am explicitly allowed to run servers.
_________________________
-- roger

Top