Solved

How can I contact someone when I only have their IP address?

Posted on 2004-04-12
20
375 Views
Last Modified: 2010-08-05
Apparently one or more friends of mine have been infected with Netsky worm variants, like this one:

http://securityresponse.symantec.com/avcenter/venc/data/w32.netsky.p@mm.html

Each day, I get a number of email messages from this person or persons with the worm attached. I would really like to let them know they're infected... But I don't know how.

I've tried to correlate the arrival time of the messages with friends I know are online, but have not been able to do so. I've also contacted some of my more technically innocent friends directly, but their systems were OK. As I can see the originating IP address in the email headers, I've tried "NET SEND ip_address contact_me_message", not really expecting that it would work... and it didn't :-(

I don't really want to send a bulk email to everyone I know. So, I'd like to ask if anyone has any idea how I might contact another person, if all I have is their IP address?
0
Comment
Question by:klapidge
  • 4
  • 4
  • 3
  • +5
20 Comments
 
LVL 23

Expert Comment

by:rhandels
Comment Utility
Hello,

You can go to www.nic.com and go to the whois section. Here you can see to whom the ip address belongs. For as long as all of your friends don't have the same ISP, you can see which ISP the ip address belongs to.
0
 

Author Comment

by:klapidge
Comment Utility
Hi rhandels,

Thank you for your suggestion. Alas, many, probably most of the people who it could be use the same ISP as me (I'm currently in Taiwan, and most people with Internet access here seem to be with Hinet). I do already know that this person or persons uses Hinet, and hence I know it's someone in this country... But that's still rather a lot of people!

I was really rather hoping for some clever / devious method to send a message to whoever the person is. A faint hope I know, but...!
0
 
LVL 23

Assisted Solution

by:rhandels
rhandels earned 100 total points
Comment Utility
The problem is that the only way to know ho's ip address from whom, you'd have to go to court to get it from the ISP (like RIAA). I don't hink you would go through all this trouble  ;)...

You could try a tracert. Maybe the ISP uses names of places which the users a connected to.
Also a ping -a can be used. It pings the ip address of your friends and resloves it to a hostname. But i'm afraid that even that one won't do the trick.

I think, the fastest way to do this, is e-mail all your friends, tell them what kind of trouble you went through to find out who it was and tell them how to resolve their own ip address.... Saves ya al lot of trouble. By the way, isn't it your friends problem to keep their computer clean of virusses????

I'm out of ideas, all my ideas are above. Hope you can figger it out...
0
 
LVL 27

Expert Comment

by:pseudocyber
Comment Utility
You're only going to be able to pin it down to the ISP, not an invidual.  You can go to http://www.arin.net and enter the IP address.

However, if they're dialup, odds are the IP changes frequently.

Most ISP's are not going to care ... btw.  

About the only thing you can do is to make sure you're up to date on patches for OS and firewall, and keep your Virus Software up to date.
0
 
LVL 30

Expert Comment

by:Gareth Gudger
Comment Utility
You know.....us old folk use this thing called a "phone". :)
0
 
LVL 30

Expert Comment

by:Gareth Gudger
Comment Utility
And even older people called it a talking telegraph....but then you would have to be about 150 years old. :)
0
 

Author Comment

by:klapidge
Comment Utility
Hi Guys,

Thank you again for your suggestions. I do realise that I'm not likely to be able to find out "who" is using a particular IP address... But I was thinking that I didn't necessarily need to know who it was - I just need to get a message to them (hence my mention of "net send"). Having said that, I realise that probably there's no way, but thought it worth asking. I'll hang on for a while longer, just in case someone does come up with a way. But if not, yes, I suppose I'll just have to email everyone, sigh...
0
 
LVL 3

Expert Comment

by:browolf
Comment Utility
there is not way. if there was, the RIAA for instance wouldnt be having the trouble it's having trying to find out who people are. You can be sure is there was a way, they'd be using it.

ontop of that most people have dynamic ip addresses so even if you could use net send it'd probably go to another person.

and most viruses spoof email addresses so it's never from who it says its from.
0
 
LVL 11

Expert Comment

by:PennGwyn
Comment Utility
If "ping -a" was going to be able to resolve ("do a reverse lookup on") the address to get a hostname:

a.  That hostname would probably not get you much more than "it's a HINET customer in/near city X".

b.  The email "Received:" header would probably already contain this information.

0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 8

Expert Comment

by:banks1850
Comment Utility
Funny that nobody mentioned this yet, must have slipped through.

klapidge,
     If you look closely at the description of this virus.  It performs "spoofing" which means
that most of the addresses you are receiving this from aren't actually sending this virus.  Only
one computer needs to be infected (it grabs all of the contacts on that computer and sends out
spoofed emails based on those addresses).  So, besides being time consuming, what you are
doing is going to be generally fruitless because almost all of the compters you are trying to reach aren't infected.  I would just put up some baysian filter (like spambayes, its free), and train it to filter these directly into a junk folder.  That is what I do.  I get about 100 of these a day but they don't bother me because they go right into junk mail.  Odds are, if this person has a large contact list, you aren't going to figure out who sent it.  Eventually they will figure out that they have a virus and this will stop, or the isp will start filtering these emails or Deny service to the account because of the volume of emails being sent.  Either way, I wouldn't worry about trying to cure other people's viruses unless it is your job, it's my job and I still hate doing it!
Good Luck
0
 

Expert Comment

by:sleepydeez
Comment Utility
I'm with Banks....
Netsky spoofs email addresses.  No point in trying to let these people know.  Probably not them infected anyway.  Only going to get them worried and asking questions to their tech person and so on.  This is why Netsky is so evil...

Sleepy
0
 

Author Comment

by:klapidge
Comment Utility
Thanks once to everyone once again :-)

To banks1850 and sleepydeez:

I understand what you're saying, and I do agree. I think I've pretty much resigned myself to not being able to do anything useful about this...

But I am still curious ;-) Why? Well, as you've said, the email address and domains are spoofed, and hence useless. But... I believe that the first "Received" line in the email header must contain the real IP address the message came from. I think it has to, for the reasons I mentioned above.

To be more explicit: This line is added by the first mail server contacted, and for that mail server to communicate with the machine sending the email, it has to know the real IP address of the sender. Sending email requires a two-way protocol conversation, which would not be possible if the IP address was spoofed.

So... for the sake of my curiousity if nothing else, we're still back to my original question!

Forget the spoofed domain names and email addresses, and forget the fact that I can't reasonably expect to find out who owns the infected computer. All I need is a definitive answer to the question:

What method(s) could I use to get a message to someone if I know their IP address? If any?

I know that there may be no way. Or no way, except in particular circumstances. But folks, this person or persons is running Windows (otherwise they wouldn't have the worm). So perhaps there's some way? Or some way that might work if they have a standard / insecure Windows installation (very possible, given that they apparently have this worm and don't know it). Or if not a "standard" way, as with "net send", maybe a devious way?

Ok, maybe not, I know, I know... But can anyone tell me that with absolute confidence?
0
 
LVL 27

Expert Comment

by:pseudocyber
Comment Utility
You hire a lawyer and use legal means to force the ISP to divulge the identity of the MAC address, login, or whatever records they have.
0
 
LVL 8

Expert Comment

by:banks1850
Comment Utility
Klapidge,
     So we know it is pretty tough to find an email based on an ip without the ISP giving it out.  Good.

     OK, so you need a user based on an IP address, well there is a host of tools that you can use to look for a domain based on an ip subnet, but unless the information is listed and the router that hosts the subnet is willing to give it out then that is where your trail will stop.  You could do an nslookup or do a whois at internic.net but that will only tell you the name of the domain and thier contact info.  You could trace route to find something similar.  But most ISP's aren't  going to let you request ICMP information directly from users (well, thats not strictly true, some will).  And even if you do get the machine name, there is no guarantee that it is still the correct one.  I also submit this, any user green enough to allow their real ip address to show up for these kind of request on the internet is in for a VERY long road in the future anyway, because there are just tons of attacks (not just dropping viruses on a remote machine) that someone can perform on a live workstation using windows.  Unless you know how to configure windows to turn off responses at the datalink level (not just ports) you could be in trouble.  Always use a hardware router in addition to anything you use on your machine for intrusion detection.
0
 

Author Comment

by:klapidge
Comment Utility
Hi All,

Firstly, I have no idea why, but one of my responses above is missing, and I've only just seen that. Probably my fault :-( But it's a pity, because it was quite long and detailed. Anyway, in the missing response, I tried to emphasise what I did and didn't need to know, because I thought many of the responses were answering the wrong question!

Just briefly:

    ****************************************
    I do NOT need to know who is using the machine.
    I just want to get a visible message to that machine.
    ****************************************

Whoever is infected must already know me, otherwise they wouldn't have my email addresses! (Including one I rarely use, and one that's ultra-private.)

I have the IP already - that part is easy!

Yes, the IP is dynamic, but I reckon I can respond quickly enough (at least sometimes) to be able to get to the person before they disconnect and the IP is reallocated.

So I just want to send a message, any way, any how, to that machine. A message which will be visible somehow to the user, either immediately or later.

As I said above, "net send" doesn't work. But if it did, I would do something like this (not technically accurate I know, but close enough, and they should understand it):

net send 111.222.333.444 "Hello, this is klapidge. You know me, or we have met in the past, but I do not know who you are. I do know that your PC is infected with the Netsky virus. That virus is sending copies of itself to everyone in your address book, every day, including me! Please contact me, and I will explain how to remove the virus. My email: xxx My phone: 111. Thank you! klapidge"

Also, if they've met me, they'll have or hopefully remember my business card, which makes it clear I work with computers. So even if they're initially suspicious of such a message, my personal and contact details should quickly convince them that the message itself isn't a virus or spoof. And the fact that they're probably not very computer-literate, and that I am, should stop them from being mystified or concerned about how I just sent them that message!

Well, except that even if it turns out to be possible, it wouldn't have been me that knew how. But I'm happy to give credit to any genius that can, and / or to EE ;-)

I hope this is clearer, or helps. Something like what "net send" does would be ideal. Something that changes their desktop picture and sounds an alarm through their speakers would be good too. And perhaps a mild electric shock? (Just joking.) (Not really.) (Ok, yes, really.)

One last thing - they're using the same ISP as me. Which probably makes no difference, but...?
0
 
LVL 27

Accepted Solution

by:
pseudocyber earned 100 total points
Comment Utility
What kind of havoc would there be if M$ purposefully allowed whomever to send messages and alter the GUI of whomever they felt like, just because they had their IP address?  Net Send is bad enough - pop up advertisements and other $4!+.

Here is your answer:  

Option 1 - legal - try to use net send - if they're ignorant enough to have it open, this should get their attention.
Option 2 - legal & cumbersome - go through the ISP as noted above.
Option 3 - illegal/unethical - port scan them, sniff them, try to figure out who they are if they're using any IM, have obvious holes open, hack them in other words.
Option 4 - realize this is a fact of Internet life, it's not worth the hassle to do anything about it, and move on with your life.
0
 
LVL 23

Expert Comment

by:rhandels
Comment Utility
I agree with pseudocyber. I'd go for option 4 if i where you. Or else... Option 3 (you are an it idiot or not). But be sure to not get to much attention... :)
0
 
LVL 23

Expert Comment

by:rhandels
Comment Utility
Hi,

I thought i also gave the same answer in my first post. So i would say a split between Pseudocyber and me..
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Suggested Solutions

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
Resolve DNS query failed errors for Exchange
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now