I regularly check on the ip addresses of visitors to my site and then use a reverse DNS tool to resolve the name of the site who visited. I am surprised at the number of bots and other visitors (China and Eastern Europe) that regularly visit me, I expect they are searching for email addresses...tough guys, never have had any on the site.

I also get a lot that return "no reverse lookup" :(. Is there some way of finding out some idea of who they are? Can you type the ip address in the address bar of the browser and have it take you there? eg. "192.168.43.56" or http://192.168.43.56 or some other syntax?

Thanks

Not really, it could be a faked IP address for starters. Even MAC addresses can be faked if you know how. Not worth the effort. You could do a WHOIS on the IP address to see who it belongs to (ISP wise), and a traceroute, but it's really not worth the effort imho.

Dave

You might try to ping their IP address in CMD or Dos prompt depending what you name use to find out if it is real and if it is you can type the IP address into the address bar You can also find IP addresses from a webpage name using ping in the same way. The CMD for ping example is,
ping 192.168.43.56

ping isn't worth much - if icmp echo ping replies are turned off (not uncommon)...

Dave

That looks like an internal IP. Like a router or gateway. You know ususally in the ranges 192.168.x.x or 10.x.x.x depending. Maybe from your network.

http://en.wikipedia.org/wiki/Classful_network

It's a class c network address, internal, yes. Scroll down to special classes on the link above.

I doubt very much that the OP would have a router/gateway with that sort of IP addressing, would be very unusual.

As I said earlier, I'd put money on it being a fake IP address. Many crackers employ that sort of technique.

Dave

My policy is anyone whose access attempt gets a 404, 405, 406, 413 or 414 response code from Apache, or any SSH failure, gets the allocation it came from - not just the IP - added to the firewall. There are some countries whose entire allocations are in the firewall.

I do have a CGI that generates fake but valid appearing email addresses for anyone stupid enough (which includes most bots) to follow that link.



I presume you used that address for illustration. 192.168.0.0/16 can not have originated further away from you that your ISP. If it came from anywhere else it would have been dropped. 10.0.0.0/8 172.12.0.0/12 and 192.168.0.0/16 are prohibited outside private networks.

"whois" is the tool of choice as suggested earlier. There are web sites that will run it for you if you don't have a "whois" on your system. Depending on the delegation, you might get some useful information, but you might not.

The other one to try is "traceroute" (or "tracert" for the M$ inclined). The list of routers in the output may help you cut down the possibilities.

I'm not a networking guy (hate it to be honest), but my understand that according to RFC's, 192.168.x.x was reserved for private IP only, no public addressing. There's no way a ISP would make a private IP range available publically. I suck @ netmasks, so all I can remember is /24 being a standard 256 range. I don't think I've ever seen a /16 or /8 before, but then, I'm not the network guy @ work, that's Tony's role (or the bosses). They frig with the routers etc. I do the web hosting and hosted exchange and complex DNS ;)

Dave

edit: for those curious on netmasks etc:

http://krow.net/dict/subnet.html

The ISP won't advertise it into BGP, but it might be visible to customers. It's not good style, but looking at it from their perspective, they could be using private addresses for internal use only servers to save on public addresses that they have to pay for.

You can query the IP registries via whois, those registries being RIPE, APNIC, ARIN, etc, to find out who is delegated the address space. That is about as close as you will get if they have no reverse entry.

These are relatively expensive lookups, so I wouldn't by policy do a whois on every IP that hits your system.

Regards,
Eric

None of our PIP infrasctructure is visible to anyone else on our network. I'd have to telnet into our core router (redback) and go into the particular context for pings etc to work. Or, set a modem up on the test line with the right IP addressing and subnet etc etc. I really suck @ networking lol. Boss lent me a O'Reilly's book on networking and Ciscos a year ago and I still haven't read it. Just puts me to sleep...

Dave

Sorry, the address I used was for illustration only. I had already closed my site stats window when I thought of asking you guys for some ideas. I checked the stats this morning and had 4 visits on Saturday with no lookup:

65.19.129.18
221.12.147.80
124.150.105.239
74.222.4.74

I use WebYield.net for my lookup, I tried DomainTools the other day and I got less resolved addresses than with WebYield.

I also had one from a site with a .ru extension and one .mx, neither of which are probably more than someone looking for email addresses.

Dshield site gives:

OrgName: Hurricane Electric, Inc.
OrgID: HURC
Address: 760 Mission Court
City: Fremont
StateProv: CA
PostalCode: 94539
Country: US

http://www.dshield.org/indexd.html

I was able to resolve all of these IP's using 'dig' (I'm a linux user). A 'whois' gives varying levels of information for the domains in question. The least information was provided on the last IP address - 74.222.4.74
To do the whois lookup, I changed the last digit to 0.

nslookup will do similar to dig, although it's deprecated in favour of dig by all accounts. Optus looking glass might be of use:

http://looking-glass.optus.net.au/

Dave

My personal opinions on some of those:

65.19.129.18 - is in 65.19.128.0/18 assigned to Hurricane Electric. Large parts of their network are blocked but this piece is not. Their abuse admin leaves a lot to be desired. This particular address is in a /28 reassigned to someone with an Italian management phone number.

221.12.147.80 - all of China is blocked. No correspondence will be entered into.

124.150.105.239 - is in 124.150.0.0/17 assigned to iiNet and appears to be reassigned to WestNet with an Adelaide management address. I have no record of problems from their network.

74.222.4.74 - is in 74.222.0.0/19 assigned to Vrtservers (California). I have no record of problems from their network.

Changing the last digit to get whois to work may be misleading. Addresses may be reassigned on smaller boundaries than that. For example, if you applied that to 65.19.129.18 giving 65.19.129.0 you would be looking up a different allocation because the .18 block starts at .16

Thanks for the information guys, I was expecting that most would be locations that were of a dubious nature. I have added the links to my favourites for alternate lookup.

nslookup comes with Windows. To get "dig" you need to install the Windows port of ISC BIND



Another useful one for finding other blocks owned by the same provider is http://bgp.potaroo.net/

Short bash script for looking-glass. Run as "scriptname ipaddress":

#!/bin/bash
firefox -remote "openURL(http://looking-glass.optus.net.au/cgi-bin/nph-looking-glass.pl?query=bgp&addr=$1&BGP_Table=International&DIG_Table=ANY,new-tab)"

Windows cmd file version

@echo off
cd path-to-firefox
firefox -remote "openURL(http://looking-glass.optus.net.au/cgi-bin/nph-looking-glass.pl?query=bgp&addr=%1&BGP_Table=International&DIG_Table=ANY,new-tab)"

Applied to 65.19.129.18 gives you AS6939

Once you know the AS number, you can use this one to get the BGP path from Telstra to the target. Run as "scriptname asnumber"

#!/bin/bash
firefox -remote "openURL(http://bgp.potaroo.net/cgi-bin/as-report?as=AS$1&view=1221,new-tab)"

or

@echo off
cd path-to-firefox
firefox -remote "openURL(http://bgp.potaroo.net/cgi-bin/as-report?as=AS%1&view=1221,new-tab)"

Applied to 6939 gives you a long list of adjacent networks and about 50 IP blocks advertised by Hurricane.

Good stuff Andrew.

Dave

There's a website (http://www.ipaddresslocation.org/) that provides all sorts of IP related information.

The home page as given above should show your own IP address, ISP and physical location. I'd be interested in how accurate it is for you. For me, it correctly gave my suburb.

Yep, got me as Melbourne, I wasn't expecting it would guess Bentleigh :)

It does not work with firefox 3.0.11 on linux. Something on that page makes firefox loop.

The page works with lynx and gets my location wrong by the about the width of Sydney. The upstream transparent proxy and the traceroute it is probably doing might have something to do with that.

If you're a sysadmin or you admin your own website and you find that you get a lot of email spammage coming to your site then you can set up what is called a Honeypot to catch and record spammers and botters.

The way it works is that you generate a file that is referenced in your html code but it is hidden from view. A bot will scour a page for any links and run the hidden file. This file returns data to the honeypot site that contains information (such as the IP of the bot) and is used to then blacklist those IP's. Normal google or search engine spiders are ignored.

The one I use at work and for my own domain is called ProjectHoneyPot (http://www.projecthoneypot.org/) and it has caught quite a few spammers hitting the work domains.

Hi friends now a days its usefull to know about our ip details so that we could prevent the unwanted spam and other kind of malcious stuff which looks forward to attack us let me illustrate you in some more in detail once my computer was hacked and i was been asked for the ip address i searched through the web i got a site name http://www.ip-details.com/ip-search/ ehich hangs in the web with worthable details we can get our ip and we can test our internet speed to get a try with that...