How to get Email Addresses for the other Victims of a Hacker

Next: How to Stop a Denial of Service Attack

Previous: Who are the players in this Hacker Drama?

Back to Table of Contents

At this point, you should have a list of IP addresses and also understand who the other victims of attack are. If not, please read the previous two sections.

First, let's get some contact info for the ISPs. In a web browser, go to http://www.melissadata.com/lookups/iplocation.asp. Enter the first IP address from your list, and you should see results like this:

Melissa IP Address information

Continue to enter in IP addresses, and keep a list of IP addresses and Domains like this:

IP Address Domain (from Melissa)
67.219.58.161 SOFTCOM.COM
216.36.57.157 SOFTCOM.COM
69.163.239.247 NEWDREAM.NET
174.122.60.235 SOFTLAYER.COM
85.17.199.93 LEASEWEB.COM
200.98.197.42 CGI.BR

The domain name given above may be for the ISP, or it may be for the actual website owner. In any case, let's see if we can find some more domains associated with these IP addresses by using nslookup. Open a cmd prompt, and type nslookup [ip address] like this:

Nslookup

If nslookup doesn't give you results for a particular IP address, don't worry about it -- we're just trying to get some additional contact info. Just be sure to write down any domains that you see like this:

IP Address Domain from Melissa Domain from nslookup
67.219.58.161 SOFTCOM.COM silva-server.com
216.36.57.157 SOFTCOM.COM N/A
69.163.239.247 NEWDREAM.NET bucharest.dreamhost.com
174.122.60.235 SOFTLAYER.COM nex.next-jobathome.com
85.17.199.93 LEASEWEB.COM www13.totaalholding.nl
200.98.197.42 CGI.BR whl0023.whservidor.com

So now you have a list of Fully Qualified Domain Names (FQDNs). For example, we have bucharest.dreamhost.com. Let's make a guess that the following emails work for this domain (if some of them bounce, who cares?):

abuse@bucharest.dreamhost.com
support@bucharest.dreamhost.com
abuse@dreamhost.com
support@dreamhost.com

Next, open your web browser and visit all of the domains listed above. If they have a website, look to see if there is a "Contact" or "Support" page, and write down these email addresses. In my case, I visited these websites (note that in some cases, I am visiting both the original domain as well as a sub-domain):

SOFTCOM.COM
silva-server.com
NEWDREAM.NET
bucharest.dreamhost.com
SOFTLAYER.COM
nex.next-jobathome.com
next-jobathome.com
LEASEWEB.COM
www13.totaalholding.nl
CGI.BR
whl0023.whservidor.com

Finally, I end up with the following list of email addresses:

IP Address Domain from Melissa Domain from nslookup Email Addresses
67.219.58.161 SOFTCOM.COM silva-server.com abuse@SOFTCOM.COM, support@softcom.com, webmaster@silva-server.com
216.36.57.157 SOFTCOM.COM N/A abuse@SOFTCOM.COM, support@softcom.com
69.163.239.247 NEWDREAM.NET bucharest.dreamhost.com abuse@dreamhost.com, support@dreamhost.com
174.122.60.235 SOFTLAYER.COM nex.next-jobathome.com support@softlayer.com, abuse@softlayer.com, abuse@next-jobathome.com
85.17.199.93 LEASEWEB.COM www13.totaalholding.nl abuse@leaseweb.com, support@leaseweb.com, webmaster@totaalholding.nl
200.98.197.42 CGI.BR whl0023.whservidor.com info@cgi.br, abuse@whservidor.com, webmaster@whservidor.com

As you can see, there is some "art" involved in finding these email addresses. You absolutely want to use the domain information from Melissa. Using nslookup and visiting the websites to find email addresses is more "extra for experts". In any case, once you have a list of email addresses, we are ready to notify these people. But first, let's learn about what all concerned parties need to do to stop the attack, and then I'll give you some advice on the best ways to communicate with all the various ISPs and website owners.

If you want to gather even more addresses, you might try my Whois Lookup Tool. This tool will (attempt to) show you the contact information for the owners of the domains you have found above. You only want to enter the second-level domains names. In this case, you would enter the following domains, one by one, into the Whois Tool: CGI.BR, dreamhost.com, LEASEWEB.COM, NEWDREAM.NET, next-jobathome.com, silva-server.com, SOFTCOM.COM, SOFTLAYER.COM, totaalholding.nl, and whservidor.com Note that some domains will list contact email addresses, but some don't because the owners of the domain have opted to hide their contact information (usually, for a fee).

Finally, you can use my Fingerprint tool to find out what operating system these machines are running. Simply enter in the domain names you found above using nslookup into the Fingerprint tool to find out what they are running. In my case, I found these:

IP Address Domain from Melissa Domain from nslookup Web server and OS Email Addresses
67.219.58.161 SOFTCOM.COM silva-server.com Apache/2.2.21 (Unix) abuse@SOFTCOM.COM, support@softcom.com, webmaster@silva-server.com
216.36.57.157 SOFTCOM.COM N/A N/A abuse@SOFTCOM.COM, support@softcom.com
69.163.239.247 NEWDREAM.NET bucharest.dreamhost.com N/A abuse@dreamhost.com, support@dreamhost.com
174.122.60.235 SOFTLAYER.COM nex.next-jobathome.com Apache/2.2.16 (Unix) support@softlayer.com, abuse@softlayer.com, abuse@next-jobathome.com
85.17.199.93 LEASEWEB.com www13.totaalholding.nl Apache/2.2.22 (Unix) abuse@leaseweb.com, support@leaseweb.com, webmaster@totaalholding.nl
200.98.197.42 CGI.BR whl0023.whservidor.com Apache info@cgi.br, abuse@whservidor.com, webmaster@whservidor.com

As you can see, it looks like the machines used in this Distributed Denial of Service are all running Unix and Apache; the attacker may have been using a known exploit against Apache or Unix in order to use these machines as he pleases. Also, a quick check against the Apache website shows that the current version of Apache is 2.4.1. Since these websites are running older versions, its likely that they are missing a number of security updates for their webservers (and probably also their Operating Systems); of course, if these ISPs (or the customers of the ISPs) are not installing the latest hotfixes, patches, and versions of software, they are leaving themselves (and you) vulnerable to attack.   Later, when we contact the ISPs, it may help us craft a better email if we know what systems they are running.

Next: How to Stop a Denial of Service Attack

Previous: Who are the players in this Hacker Drama?

Back to Table of Contents

Problems, Comments, Suggestions? Click here to contact Greg Thatcher

Please read my Disclaimer





Copyright (c) 2013 Thatcher Development Software, LLC. All rights reserved. No claim to original U.S. Gov't works.