Sometime you need to track down offenders who are trying to attack against your services such as routers, mail, web server etc. In some cases you just wanted to find out who is sending traffic or hot linking your images etc.
Most UNIX/Linux (and Windows server) services logs information in log files. You can easily resolve the names with host, nslookup and dig command:
$ dig bad.cracker.com
$ host bad.cracker.com
First you need to find out domain owner. Next you need to contact service provider.
Find out domain owner with whois
$ whois bad.cracker.com
You will get admin or tech contact information with a phone number and email address. However, In most cases attacker will not use his real name and address i.e. information may be wrong. So next logical step is to find out netblock owner i.e. the IP address where server or site is hosted. Again use whois command to find out network information. First let us find out IP address of domain:
$ host bad.cracker.comOutput:
bad.cracker.com A 184.108.40.206
Now get ip address owner information:
$ whois 220.127.116.11Output:
whois 18.104.22.168 % [whois.apnic.net node-2] % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html inetnum: 22.214.171.124 - 126.96.36.199 netname: NET4 descr: Sterling Capital Pvt. Ltd. descr: Internet Service Provider descr: New Delhi country: IN admin-c: IG4-AP tech-c: IG4-AP remarks: ------------------------------------------------- remarks: This object can only be modified by APNIC hostmaster remarks: If you wish to modify this object details please remarks: send email to email@example.com with your organisation remarks: account name in the subject line. remarks: ------------------------------------------------- mnt-by: APNIC-HM mnt-lower: MAINT-STERCAP-IN mnt-routes: MAINT-STERCAP-IN changed: firstname.lastname@example.org 19990830 status: ALLOCATED PORTABLE changed: email@example.com 20031008 source: APNIC route: 188.8.131.52/24 descr: NET4 route object country: IN origin: AS17447 mnt-by: MAINT-STERCAP-IN changed: firstname.lastname@example.org 20060523 source: APNIC person: Iqbal Gandham nic-hdl: IG4-AP e-mail: email@example.com address: D-25 , Sec 3 , Noida address: U.P , India phone: +91-120-4323500 fax-no: +91-120-4323520 country: IN changed: firstname.lastname@example.org 20060307 mnt-by: MAINT-STERCAP-IN source: APNIC
Now you have contact information such as a telephone number and email address of ISP or hosting service provider. Just send them abuse report or a detailed message stating your position and problem. Most ISPs will send some sort of response to resolve the problem.
Note above IP address is just an example and not real ip address of a bad guy :)TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!
- 30 Cool Open Source Software I Discovered in 2013
- 30 Handy Bash Shell Aliases For Linux / Unix / Mac OS X
- Top 30 Nmap Command Examples For Sys/Network Admins
- 25 PHP Security Best Practices For Sys Admins
- 20 Linux System Monitoring Tools Every SysAdmin Should Know
- 20 Linux Server Hardening Security Tips
- Linux: 20 Iptables Examples For New SysAdmins
- Top 20 OpenSSH Server Best Security Practices
- Top 20 Nginx WebServer Best Security Practices
- 20 Examples: Make Sure Unix / Linux Configuration Files Are Free From Syntax Errors
- 15 Greatest Open Source Terminal Applications Of 2012
- My 10 UNIX Command Line Mistakes
- Top 10 Open Source Web-Based Project Management Software
- Top 5 Email Client For Linux, Mac OS X, and Windows Users
- The Novice Guide To Buying A Linux Laptop