Error - template LAYOUT-DATA-WRAPPER not found

A configuration error was detected in the CGI script; the LAYOUT-DATA-WRAPPER template could not be found.

Error - template STYLE-SHEET not found

A configuration error was detected in the CGI script; the STYLE-SHEET template could not be found.

Error - template SUB-TOP-BANNER not found

A configuration error was detected in the CGI script; the SUB-TOP-BANNER template could not be found.
Subject:
Re: Whois or IP search
From:
David Gillett <[log in to unmask]>
Reply To:
PCSOFT - Personal Computer software discussion list <[log in to unmask]>
Date:
Fri, 8 Mar 2002 23:10:57 -0800
Content-Type:
text/plain
Parts/Attachments:
text/plain (54 lines) 
On 8 Mar 2002, at 16:07, A&C Thompson wrote:

> Hi all,
>
> I guess I'm just brain-dead this week! When I get an alert in Zone
> Alarm that someone tried to connect to my machine, I copy the IP#
> and paste it at http://www.mse.co.jp/ip_domain/index_e.shtml
>
> However, this rarely tells me anything that I can make sense of -
> I guess I just don't know how to interpret the info.
>
> Can someone offer a better IP or Whois search site, and explain
> how to use it to get understandable info? For example, telling me
> that it's a NTCBLK from Korea does nothing for me, but telling me
> it's a porn site with a name would be far more useful. (Not that
> moi ever visits porn sites! ;-) Thanks in advance for any
> suggestions, and forgive my brain-dead questions!
>
> Al Thompson


> ....  For example, telling me that it's a NTCBLK from Korea does
> nothing for me, but telling me it's a porn site with a name would
> be far more useful.

  Well, first of all, depending on the exact kind of traffic you've
caught, the source address might or might not reflect the actual
origin of the packets.

  If it *does* accurately tell you what machine sent them, odds are
that it will be an already-hacked machine belonging to someone who
has no idea that they're even vulnerable.  (This is far more likely
than that this is really the attacker's own machine.)
  If it *is* the hacker's own machine, the IP address is likely to be
a semi-random dynamic address issued to a dial-up session, rather
than a static address assigned to the attacker.  This means that your
only hope of tracking down the specific user/machine is with the
cooperation of the dial-up ISP -- and even then, you'd have to hope
that the attacker is using his own dial-up account, rather than an
account and password he has obtained from somewhere else.

  If the traffic came from a compromised machine, that machine
*might* be a poorly-secured web server.  A reverse DNS query,
however, is going to give you only one name for the machine, and not
a list of all the web sites that might happen to be hosted on it.
Some of those *might* be porn, but there's no way to find that out
(for certain) from the IP address.

David Gillett

                         PCSOFT's List Owner's:
                      Bob Wright<[log in to unmask]>
                       Drew Dunn<[log in to unmask]>

ATOM RSS1 RSS2

LISTSERV.ICORS.ORG Secured by F-Secure Anti-Virus CataList Email List Search Powered by LISTSERV