How to find the owner of a Network or Domain to track down offenders

by on November 10, 2006 · 1 comment· LAST UPDATED February 20, 2007

in , ,

Sometime you need to track down offenders who are trying to attack against your services such as routers, mail, web server etc. In some cases you just wanted to find out who is sending traffic or hot linking your images etc.

Most UNIX/Linux (and Windows server) services logs information in log files. You can easily resolve the names with host, nslookup and dig command:

$ dig bad.cracker.com
$ host bad.cracker.com

First you need to find out domain owner. Next you need to contact service provider.

Find out domain owner with whois
$ whois bad.cracker.com

You will get admin or tech contact information with a phone number and email address. However, In most cases attacker will not use his real name and address i.e. information may be wrong. So next logical step is to find out netblock owner i.e. the IP address where server or site is hosted. Again use whois command to find out network information. First let us find out IP address of domain:
$ host bad.cracker.comOutput:

bad.cracker.com           A       202.71.128.225

Now get ip address owner information:
$ whois 202.71.128.225Output:

whois 202.71.128.225
% [whois.apnic.net node-2]
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html
inetnum:      202.71.128.0 - 202.71.159.255
netname:      NET4
descr:        Sterling Capital Pvt. Ltd.
descr:        Internet Service Provider
descr:        New Delhi
country:      IN
admin-c:      IG4-AP
tech-c:       IG4-AP
remarks:      -------------------------------------------------
remarks:      This object can only be modified by APNIC hostmaster
remarks:      If you wish to modify this object details please
remarks:      send email to hostmaster@apnic.net with your organisation
remarks:      account name in the subject line.
remarks:      -------------------------------------------------
mnt-by:       APNIC-HM
mnt-lower:    MAINT-STERCAP-IN
mnt-routes:   MAINT-STERCAP-IN
changed:      qadeer.m@net4india.com 19990830
status:       ALLOCATED PORTABLE
changed:      hm-changed@apnic.net 20031008
source:       APNIC
route:        202.71.128.0/24
descr:        NET4 route object
country:      IN
origin:       AS17447
mnt-by:       MAINT-STERCAP-IN
changed:      suman.g@net4india.net 20060523
source:       APNIC
person:       Iqbal Gandham
nic-hdl:      IG4-AP
e-mail:       ipadmin@net4india.net
address:      D-25 , Sec 3 , Noida
address:      U.P , India
phone:        +91-120-4323500
fax-no:       +91-120-4323520
country:      IN
changed:      suman.g@net4india.net 20060307
mnt-by:       MAINT-STERCAP-IN
source:       APNIC

Now you have contact information such as a telephone number and email address of ISP or hosting service provider. Just send them abuse report or a detailed message stating your position and problem. Most ISPs will send some sort of response to resolve the problem.

Note above IP address is just an example and not real ip address of a bad guy :)

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 1 comment… read it below or add one }

1 JOYFUL SHERRIL March 25, 2009 at 6:00 pm

I AM WONDERING WHY THESE OTHER NETWORKS ARE APPEARING ON MY WIRELESS NETWORK.? THEY’RE BLOCKING ME FROM DOING MY THING!

TRYING TO FIND OUT WHO THEY ARE AND APPEARING MORE OFTEN ON MY NETWORK?

Reply

Leave a Comment

Previous post:

Next post: