How to get Email Addresses for the other Victims of a Hacker

Next: How to Stop a Denial of Service Attack

Previous: Who are the players in this Hacker Drama?

Back to Table of Contents

At this point, you should have a list of IP addresses and also understand who the other victims of attack are. If not, please read the previous two sections.

First, let's get some contact info for the ISPs. In a web browser, go to Enter the first IP address from your list, and you should see results like this:

Melissa IP Address information

Continue to enter in IP addresses, and keep a list of IP addresses and Domains like this:


The domain name given above may be for the ISP, or it may be for the actual website owner. In any case, let's see if we can find some more domains associated with these IP addresses by using nslookup. Open a cmd prompt, and type nslookup [ip address] like this:


If nslookup doesn't give you results for a particular IP address, don't worry about it -- we're just trying to get some additional contact info. Just be sure to write down any domains that you see like this:


So now you have a list of Fully Qualified Domain Names (FQDNs). For example, we have Let's make a guess that the following emails work for this domain (if some of them bounce, who cares?):

Next, open your web browser and visit all of the domains listed above. If they have a website, look to see if there is a "Contact" or "Support" page, and write down these email addresses. In my case, I visited these websites (note that in some cases, I am visiting both the original domain as well as a sub-domain):


Finally, I end up with the following list of email addresses:

IP Address Domain from Melissa Domain from nslookup Email Addresses SOFTCOM.COM abuse@SOFTCOM.COM,, SOFTCOM.COM N/A abuse@SOFTCOM.COM, NEWDREAM.NET, SOFTLAYER.COM,, LEASEWEB.COM,, CGI.BR,,

As you can see, there is some "art" involved in finding these email addresses. You absolutely want to use the domain information from Melissa. Using nslookup and visiting the websites to find email addresses is more "extra for experts". In any case, once you have a list of email addresses, we are ready to notify these people. But first, let's learn about what all concerned parties need to do to stop the attack, and then I'll give you some advice on the best ways to communicate with all the various ISPs and website owners.

If you want to gather even more addresses, you might try my Whois Lookup Tool. This tool will (attempt to) show you the contact information for the owners of the domains you have found above. You only want to enter the second-level domains names. In this case, you would enter the following domains, one by one, into the Whois Tool: CGI.BR,, LEASEWEB.COM, NEWDREAM.NET,,, SOFTCOM.COM, SOFTLAYER.COM,, and Note that some domains will list contact email addresses, but some don't because the owners of the domain have opted to hide their contact information (usually, for a fee).

Finally, you can use my Fingerprint tool to find out what operating system these machines are running. Simply enter in the domain names you found above using nslookup into the Fingerprint tool to find out what they are running. In my case, I found these:

IP Address Domain from Melissa Domain from nslookup Web server and OS Email Addresses SOFTCOM.COM Apache/2.2.21 (Unix) abuse@SOFTCOM.COM,, SOFTCOM.COM N/A N/A abuse@SOFTCOM.COM, NEWDREAM.NET N/A, SOFTLAYER.COM Apache/2.2.16 (Unix),, Apache/2.2.22 (Unix),, CGI.BR Apache,,

As you can see, it looks like the machines used in this Distributed Denial of Service are all running Unix and Apache; the attacker may have been using a known exploit against Apache or Unix in order to use these machines as he pleases. Also, a quick check against the Apache website shows that the current version of Apache is 2.4.1. Since these websites are running older versions, its likely that they are missing a number of security updates for their webservers (and probably also their Operating Systems); of course, if these ISPs (or the customers of the ISPs) are not installing the latest hotfixes, patches, and versions of software, they are leaving themselves (and you) vulnerable to attack.   Later, when we contact the ISPs, it may help us craft a better email if we know what systems they are running.

Next: How to Stop a Denial of Service Attack

Previous: Who are the players in this Hacker Drama?

Back to Table of Contents

Problems, Comments, Suggestions? Click here to contact Greg Thatcher

Please read my Disclaimer

Copyright (c) 2013 Thatcher Development Software, LLC. All rights reserved. No claim to original U.S. Gov't works.