Pular para o conteúdo principal

The best tools and methods to track down suspect IP addresses and URLs

The best tools and methods to track down suspect IP addresses and URLs: "

There are many reasons why you might need to track down an IP address. You might have discovered a hacking attempt in one of your logs. You might think you have found a spammer that you want to add to a black list. The “why” are as many as are the “how.” Every operating system has different tools for helping you track down an IP address. Compounded with this is that any tool that makes use of an IP address also has different tools for this purpose. So where do you start? What’s the easiest way to find IP addresses and help locate their sources?


I’m assuming you know what an IP address is and what it does, but that’s about it. Much of this information will be common knowledge to the seasoned administrator., but new administrators or support techs might glean some useful information here.


Finding the URL for an IP address


Let’s say whatever application you are using gives you a URL for an address that you want to block or track (for whatever reason). If you need the IP address of that URL there is a very simple way to do that - use ping. Let’s use google.com as an example. To find the IP address of that URL I would open up a command prompt in Windows (launch Terminal in Mac or from the command line in Linux) and type:


ping google.com

From that command you should see something like:


64 bytes from iwanttoblockthis.com 74.125.159.104: icmp_seq=1 ttl=52 time=29.0

As you can see, the ping tool locates the IP address associated with the URL google.com. In this example the address 74.111.159.104. Now this can be a bit misleading because that IP address might be only one address of many associated with the domain. You can find out all of the IP addresses associated with a URL using the nslookup command like so:


nslookup google.com

The above command should report something similar to:


Non-authoritative answer:

Name:    google.com
Address: 74.111.159.104

Name:    google.com
Address: 74.111.159.105

Name:    google.com
Address: 74.111.159.106

Name:    google.com
Address: 74.111.159.107

Name:    google.com
Address: 74.111.159.108

Name:    google.com
Address: 74.111.159.109

From the above information you should notice that the answers received are non-authoritative, which means none of those addresses are in charge of the domain. Let’s use the same tool to find the authoritative address for the domain. To do this ,first issue the command nslookup with no arguments. This will bring you a prompt that looks like:


>

Now set the querytype like so:


> set querytype=soa

and then enter the domain:


> google.com

You will then see output that looks like that shown in Figure A.


Figure A



Now you can see the IP address in charge of the domain google.com com is 216.239.32.10.


Finding the URL for an IP address


If you ping an IP address you will not receive a domain back. I know, I know…it’s unfair, but it’s the way it goes. So, how can you get the URL from an IP address? Simple, you take advantage of nslookup again. To do this, issue the command:


nslookup google.com

And you will see something like:


Non-authoritative answer:
10.32.239.216.in-addr.arpa    name = ns1.google.com.

You instantly know that the IP address is associated with google.com. Of course you could also just enter the IP address in your web browser and, if that IP address is associated with a web server, you will see the results instantly. If the IP address is not associated with a web browser you will have to do more research.


You can find out even more information using the whois command like so:


whois  216.239.32.10

The above command will report something like this:


NetRange:       216.239.32.0 - 216.239.63.255
CIDR:           216.239.32.0/19
OriginAS:
NetName:        GOOGLE
NetHandle:      NET-216-239-32-0-1
Parent:         NET-216-0-0-0-0
NetType:        Direct Allocation
NameServer:     NS2.GOOGLE.COM
NameServer:     NS3.GOOGLE.COM
NameServer:     NS4.GOOGLE.COM
NameServer:     NS1.GOOGLE.COM
RegDate:        2000-11-22
Updated:        2001-05-11
Ref:            http://whois.arin.net/rest/net/NET-216-239-32-0-1
OrgName:        Google Inc.
OrgId:          GOGL
Address:        1600 Amphitheatre Parkway
City:           Mountain View
StateProv:      CA
PostalCode:     94043
Country:        US
RegDate:        2000-03-30
Updated:        2009-08-07
Ref:            http://whois.arin.net/rest/org/GOGL
OrgTechHandle: ZG39-ARIN
OrgTechName:   Google Inc
OrgTechPhone:  +1-650-253-0000
OrgTechEmail:  arin-contact@google.com
OrgTechRef:    http://whois.arin.net/rest/poc/ZG39-ARIN
RTechHandle: ZG39-ARIN
RTechName:   Google Inc
RTechPhone:  +1-650-253-0000
RTechEmail:  arin-contact@google.com
RTechRef:    http://whois.arin.net/rest/poc/ZG39-ARIN
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html

Now, if you have someone (either URL or IP address) attacking you or sending you spam that you want to discover, or you need to block, report, or contact them, you can get the information you need.


You have neither an IP nor URL


What if you are sure you’re being attacked, but you have no idea by whom or what. The first place to look is your server’s log files. But if those escape you (you either have no idea where to find them or they don’t give you the information you need), you might need to employ a network monitoring tool. There are plenty of tools available for this task. One of my favorites is Wireshark. This is a very powerful, open source, cross-platform tool that can monitor your PC or your entire network. From this monitor you will see any and all traffic flowing through your network. Should anything look suspicious, you have the IP address that will then help you gain valuable information.


Sometimes “they” are just too good


There are times when you will be attacked, spammed, spoofed, etc. and you simply will not be able to track down the source. This is an unfortunate truth in the world of a networked computer. And when/if that time comes you will have to do your best to tighten down your security to make sure each and every computer is safe. Just remember, if a computer is attached to the network, no matter what operating system is on it, it is insecure. No machine, no operating system, no firewall, no anti-virus, no anti-malware is perfect.


The most important thing you can do is arm yourself with the tools and knowledge that will allow you to track down an address should you need to. And once you have the address (be it URL or IP address) you can always report the address to your service provider as well as sites like LiveIPMap.


Final thoughts

If you can get the IP address of someone doing nefarious deeds to your system or network you need to have the tools to enable you to gather the information in order to report the suspected address or culprit. Although the most challenging task in this process is actually locating the address, half of the battle is in the information recon. With the tools and methods outlined here, you should have everything you need.





"

Comentários

Postar um comentário

Postagens mais visitadas deste blog

Favigen, Favicon Generator

Favigen, Favicon Generator : " Favicons are small icons that help identify websites. They are used as a visual representation of a website both in the web browser and at many online services. The three most prominent locations of favicons are the browser’s address bar, the tabbar and the bookmarks folder. Many webmasters like to create custom favicons to add that custom identifier to their website. Favicons can be created in many image and icon editors, but also online. Favigen is a straightforward favicon generator that can turn an image into a favicon. All that it takes is to pick an image from the local hard drive first, select the dimensions of the favicon and click the submit button to make the service generate the favicon. Favigen supports several image formats, including jpg and png, and it does not seem to have size restrictions either. Available image dimensions range are 16×16, 32×32 and 64×64. The generated favicon is displayed directly on the page. A click on do...
Postar um comentário
Leia mais

A simple rsync script to back up your home directory

A simple rsync script to back up your home directory : " Backing up important data is obviously something we should all do. Unfortunately, it is not always easy to make it happen. We get lazy; we do not have the additional hardware for a backup server; it takes a long time and a lot of CDs to back up to optical media; we do not trust online backup services; backup schemes are difficult to set up and use — any of dozens of reasons can stand in our way. Still, we know we should be backing up our important data. Modern open source Unix-like operating systems offer a plethora of options for incredibly simple, effective backup schemes, however. If the problem is figuring out how to set one up, a simple rsync solution may be exactly what you need. The rsync utility is used to synchronize files between two systems. It does so by way of incremental copies, only copying from the source to the destination what has not already been copied there, saving time, network bandwidth, and syst...
Postar um comentário
Leia mais

Google Wave now open to the public: faster, Robots and Gadgets aplenty!

Google Wave now open to the public: faster, Robots and Gadgets aplenty! : " Filed under: Internet , Google If you somehow missed it, Google Wave is now a bonafide Labs project: rather than being an invite-only alpha, it's now a public beta test! If you don't already have an account, just head on over to Wave and use your regular Google login details. If you've not seen any of the Google Wave introductory videos , you should check them out -- they explain the whole thing a lot more succinctly than I ever could. Wave has also been enabled for Google Apps domains -- businesses could convert their internal communication to Waves today! Leading up to this public release there have a lot of changes. It's by no means finished, but Google Wave is now a lot faster . It's also more intuitive -- more useful -- and given the large number of Robots and Gadgets now reaching prime-time readiness, it feels like the mass adoption of Wave is imminent. Also, if you're an ol...
Postar um comentário
Leia mais