How to contact infected surfers?

Ponster · August 22, 2004, 2:50pm

Since I installed my new firewall it let’s me know of port scans coming from other users on the 'net. some are ‘script kiddies’ trying out new scanning tools and others are people with a virus which scans IP’s in the same subnet as I’m in.

So everyday I see a list of IP addresses from users on my ISP that are infected with a virus or two and I see them scanning my machine.

Is there any easy way to let these people know that they are infected?

Reporting it to the ISP isn’t going to work as it hasn’t yet

I’m sure that with the IP I can do something to alert the other user(s) but what?

iwakura43 · August 22, 2004, 3:02pm

I entertained this thought a while back, and here’s my opinion: Don’t bother. You’re likely to receive no gratitude for your efforts, and at worst you’ll get (threats?) to call the cops for “hacking” the clueless.

Ponster · August 22, 2004, 3:17pm

Yeah, I was thinking of that myself !

I remember when 95 first came out and if you had a local network connected to the Internet you were in fact sharing all your files with everyone. All you needed to was to type their IP into the adress bar and you could see all their files.
I found a co-worked who had this problem and left a .txt file on his desktop at home letting him know of his prob.

He wasn’t impressed even though I told him hos to fix his prob

Mort_Furd · August 22, 2004, 6:23pm

I use Linux, but I get a lot of stuff that looks like attempts to attack Windows machines. Once in a while I take a few minutes and send Windows Messaging service messages to these people. Samba and the smb tools bring along all of the stuff you need to do it.

You’ve got to open ports 135 and 139 (and probably at least one other) on your firewall so that you can send packets out of them. Then you need to find the NETBIOS name that matches the IP address of your “attacker.” Once you have that, you can send them a nice little text message that says “Some one has hacked your machine, and it is attacking mine. Please update your AV software and install a firewall.”

I can do this safely on my machine because I don’t have the Samba services running.

Do NOT do this from a Windows machine. When you open the ports to get in contact with your “attacker,” you also open yourself up to having files read from your machine through the Windows sharing stuff.

In about half of the cases, I’ve been able to get the NETBIOS name and send a message to the “attacker.” Those are the truly clueless ones. They have no firewall, still have the Windows Messaging Service running, and have no AV software. A sadder bunch of PC users you will never see.

Quartz · August 22, 2004, 10:06pm

Be careful: you can fake IP addresses, so just because a packet says it’s coming from address a.b.c.d doesn’t mean that it actually does. Obviously this only allows for one-way communication. You can fake MAC addresses too. And that’s before you start messing with routers and the like.

I know this is GQ, but I’m not going to provide any cites for obvious reasons.

Nanoda · August 22, 2004, 10:33pm

You can fake IP addreses, but since most ISPs are going to filter them as being bogus before they get anywhere on their network, they’re not very good for worm reproduction, which is what 99% of the traffic you’ll see is.

For a while with Code Red and the like, if I was bored I would paste some IPs from my Apache log in to my browser to see what came up. A got a few Japanese heavy manufacturing web sites for some reason, and once a website for a small RV campground. Phoning their 1-800 number got me the young lady manning the reservation line, for whom I’m fairly sure the words “firewall”, “IP address” and “server log” meant not much.

So anyhow, with those particular virii (which infected IIS), you may get a webpage with some contact info. For others, the only method I can think of is the one Mort Furd describes.

Ponster · August 23, 2004, 11:30am

Ok…well I’m gonna go with what Mort Furd said.

I have the IP, I know how to send the message, I know what virus they have and I have the link to the removal tool chez Norton but what I don’t have is the text.

With so much SPAM these days the user is likely to just close the window and dismiss it out og hand without actually reading what have to say.

“You have a virus…blah…blah” isn’t gonna cut it.

How could I personalise the message to get their attention?

Mort_Furd · August 23, 2004, 7:04pm

How’s this:

Hey, you lousy LUser. Your crap spewing, virus infected PC is attacking my PC. Knock it off all ready.

DougC · August 23, 2004, 7:13pm

- - I’m another in the “don’t bother” camp. You can report it to their ISP if you want, but really–the average person will not know what to do if they get such a message, and may not believe it anyway. If they are sending out HUGE amounts of traffic, believe it or not, their ISP will contact them -by phone- on the matter.
    ~

Danalan · August 23, 2004, 7:34pm

Please tell me that somebody else was going to recommend putting up signs on the beach.