Sometime you need to track down offenders who are trying to attack against your services such as routers, mail, web server etc. In some cases you just wanted to find out who is sending traffic or hot linking your images etc.
Most UNIX/Linux (and Windows server) services logs information in log files. You can easily resolve the names with host, nslookup and dig command:
$ dig bad.cracker.com
$ host bad.cracker.com
First you need to find out domain owner. Next you need to contact service provider.
Find out domain owner with whois
$ whois bad.cracker.com
You will get admin or tech contact information with a phone number and email address. However, In most cases attacker will not use his real name and address i.e. information may be wrong. So next logical step is to find out netblock owner i.e. the IP address where server or site is hosted. Again use whois command to find out network information. First let us find out IP address of domain:
$ host bad.cracker.comOutput:
bad.cracker.com A 202.71.128.225
Now get ip address owner information:
$ whois 202.71.128.225Output:
whois 202.71.128.225
% [whois.apnic.net node-2]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
inetnum: 202.71.128.0 - 202.71.159.255
netname: NET4
descr: Sterling Capital Pvt. Ltd.
descr: Internet Service Provider
descr: New Delhi
country: IN
admin-c: IG4-AP
tech-c: IG4-AP
remarks: -------------------------------------------------
remarks: This object can only be modified by APNIC hostmaster
remarks: If you wish to modify this object details please
remarks: send email to hostmaster@apnic.net with your organisation
remarks: account name in the subject line.
remarks: -------------------------------------------------
mnt-by: APNIC-HM
mnt-lower: MAINT-STERCAP-IN
mnt-routes: MAINT-STERCAP-IN
changed: qadeer.m@net4india.com 19990830
status: ALLOCATED PORTABLE
changed: hm-changed@apnic.net 20031008
source: APNIC
route: 202.71.128.0/24
descr: NET4 route object
country: IN
origin: AS17447
mnt-by: MAINT-STERCAP-IN
changed: suman.g@net4india.net 20060523
source: APNIC
person: Iqbal Gandham
nic-hdl: IG4-AP
e-mail: ipadmin@net4india.net
address: D-25 , Sec 3 , Noida
address: U.P , India
phone: +91-120-4323500
fax-no: +91-120-4323520
country: IN
changed: suman.g@net4india.net 20060307
mnt-by: MAINT-STERCAP-IN
source: APNICNow you have contact information such as a telephone number and email address of ISP or hosting service provider. Just send them abuse report or a detailed message stating your position and problem. Most ISPs will send some sort of response to resolve the problem.
Note above IP address is just an example and not real ip address of a bad guy :)
You should follow me on twitter here or grab rss feed to keep track of new changes.
Featured Articles:
- 30 Handy Bash Shell Aliases For Linux / Unix / Mac OS X
- Top 30 Nmap Command Examples For Sys/Network Admins
- 25 PHP Security Best Practices For Sys Admins
- 20 Linux System Monitoring Tools Every SysAdmin Should Know
- 20 Linux Server Hardening Security Tips
- Linux: 20 Iptables Examples For New SysAdmins
- Top 20 OpenSSH Server Best Security Practices
- Top 20 Nginx WebServer Best Security Practices
- 20 Examples: Make Sure Unix / Linux Configuration Files Are Free From Syntax Errors
- 15 Greatest Open Source Terminal Applications Of 2012
- My 10 UNIX Command Line Mistakes
- Top 10 Open Source Web-Based Project Management Software
- Top 5 Email Client For Linux, Mac OS X, and Windows Users
- The Novice Guide To Buying A Linux Laptop
{ 1 comment… read it below or add one }
I AM WONDERING WHY THESE OTHER NETWORKS ARE APPEARING ON MY WIRELESS NETWORK.? THEY’RE BLOCKING ME FROM DOING MY THING!
TRYING TO FIND OUT WHO THEY ARE AND APPEARING MORE OFTEN ON MY NETWORK?