http://www.samspade.org/

http://www.cert.org/tech_tips/finding_site_contacts.html

een hele handleiding

Waar ik deze tekst vandaan heb weet ik niet meer maar ik plaatst nog even.

Title: Reporting probes/intrusion attempts from an IP address

Q: I've found log entries that show someone trying to hack my computer.
How do I find where this system is and report it to their network
admins?

A: If you are going to report an intrusion attempt, or system
compromise, you need to first identify the site involved, perhaps their
upstream network provider, possibly include cert@cert.org, and also
security@cac.washington.edu. The last two addresses you now have. Its
the first ones that are not so obvious.

There are many ways that you can trace an IP address back to its
originating network to then notify the proper people.

This explanation will assume that you have access to a Uniform Access
system where you can get to a command line shell. (These same utilities
may exist on other systems, your mileage may vary, etc.)

WHEN THINGS GO RIGHT
====================

In most cases, an IP address can be turned into a Domain Name System
(DNS) name, which gives the top level domain of the network who owns the
system (or at least the IP address) in question. You can then use the
"whois" program to determine the site contacts for this top level
domain. (There are a number of "whois" databases. You may need to
check more than one. In many of these examples, the ARIN database is
chosen, represented by the command "whois.arin". Aliases that define
these commands for the C shell are shown in Appendix A.)

Take the following log entries:

vic-6-39.tisd.net - - [08/Jul/1998:02:34:02 -0700] "GET /cgi-bin/phf" 500 -
vic-6-39.tisd.net - - [08/Jul/1998:02:34:17 -0700] "GET /cgi-bin/test-cgi" 403 -
vic-6-39.tisd.net - - [08/Jul/1998:02:34:25 -0700] "GET /cgi-bin/handler" 404 -

This person is trying to find holes in CGI scripts that will allow them to
compromise a web server.

We can see that they are part of the "tisd.net" domain, so we can query for
this directly:

=============================================================================
saul10% whois tisd.net

Registrant:
Testengeer Internet Services Division (TISD4-DOM)
5500 Hwy 35 South
Port Lavaca, Tx 77979
us

Domain Name: TISD.NET

Administrative Contact:
Joslyn, Neal (NJ97) nealj@TESTENGEER.COM
512-552-7621
Technical Contact, Zone Contact:
Zamarripa, Phil (PZ115) philz@TESTENGEER.COM
512-552-7621 (FAX) 512-552-6976
Billing Contact:
Joslyn, Neal (NJ97) nealj@TESTENGEER.COM
512-552-7621

Record last updated on 24-Jan-97.
Record created on 24-Jan-97.
Database last updated on 21-Aug-98 04:19:24 EDT.

Domain servers in listed order:

NS1.TISD.NET 207.243.120.10
NS2.TISD.NET 207.243.120.20

The InterNIC Registration Services database contains ONLY
non-military and non-US Government Domains and contacts.
Other associated whois servers:
American Registry for Internet Numbers - whois.arin.net
European IP Address Allocations - whois.ripe.net
Asia Pacific IP Address Allocations - whois.apnic.net
US Military - whois.nic.mil
US Government - whois.nic.gov
=============================================================================

From this we can gather the contact information directly and let Neal
Joslyn and Phil Zamarripa know that they probably have a problem with
one of there systems. Assuming this email address is correct, you are
done.

WHEN THINGS GO WRONG
====================

In other cases, the system may not have a DNS name, so you must identify
the system by the network on which it resides.

Or you may find that the top level domain has no "whois" database entry
where you did the search and you have to search another database.

Or you may find that top level domain has no registration, so you must
search by the network number.

Or you may find that it *does* have an entry, but the contact address
and/or phone number are invalid and you must search for the "upstream"
Internet service provider (ISP) and try to contact them instead.

Consider the following log entry:

206.49.41.34 - - [1998-08-20 06:59:04] "GET /cgi-bin/phf/?Qalias=x%ff/bin/cat
%20/etc/passwd" 400 633

This is someone trying to exploit a hole in the "phf" CGI program in a
web server to get a copy of the system's password file, an obvious
attempt to break into the system (there is no legitimate reason to get
the system's password file through a web server.)

First, try to do a reverse DNS name lookup. A reverse name lookup, as
it sounds, asks the question, "what is the DNS name associated with this
IP address" instead of the normal question, "what is the IP address
associated with this DNS name?"

A reverse name lookup can be done with "nslookup" (installed on most
versions of Unix), but you need to form a complicated reverse DNS name
yourself. This is hard (or at least hard to remember) so Uniform Access
systems have a command named "domain" that does this for you.

=============================================================================
saul5% domain 206.49.41.34
There is no domain 34.41.49.206.in-addr.arpa
=============================================================================

(Note: "34.41.49.206.in-addr.arpa" is the complicated reverse DNS name.)

Next, try a direct whois lookup of the IP address, like this:

=============================================================================
+saul10%
% whois.arin 206.49.41.34
Sprint International (NETBLK-NETBLK-GSL-BLKB) NETBLK-GSL-BLKB
206.49.0.0 - 206.49.255.255
Telemultimedia (NETBLK-GSL-TMM) GSL-TMM 206.49.40.0 - 206.49.43.255

To single out one record, look it up with "!xxx", where xxx is the
handle, shown in parenthesis following the name, which comes first.

The ARIN Registration Services Host contains ONLY Internet
Network Information: Networks, ASN's, and related POC's.
Please use the whois server at rs.internic.net for DOMAIN related
Information and nic.mil for NIPRNET Information.
=============================================================================

This will often lead to the site contact information directly, or as in
this case, the network that owns this address, plus the upstream
provider. You then can do a lookup via the identifier in parentheses,
"whois.arin NETBLK-GSL-TMM" in this case.

Another way to get there is to identify the upstream network provider
using the "traceroute" command:

=============================================================================
+saul10% traceroute 206.49.41.34
traceroute to 206.49.41.34 (206.49.41.34), 30 hops max, 40 byte packets
1 iron-V17.cac.washington.edu (140.142.83.100) 1 ms 1 ms 1 ms
2 uwbr2-FE5-1-0.cac.washington.edu (140.142.154.24) 3 ms 1 ms 1 ms
3 seabr2-gw.nwnet.net (204.200.8.6) 3 ms 2 ms 2 ms
4 wes-core2-HSSI6-0-0.nw.verio.net (198.104.194.50) 1 ms 2 ms 2 ms
5 sl-gw5-sea-11-0.sprintlink.net (144.228.97.17) 3 ms 3 ms 2 ms
6 sl-bb11-sea-4-3.sprintlink.net (144.232.6.61) 3 ms 2 ms 2 ms
7 sl-bb5-sea-4-0-0.sprintlink.net (144.232.6.6) 2 ms 2 ms 2 ms
8 sl-bb7-dc-1-1-0.sprintlink.net (144.232.8.121) 56 ms 57 ms 55 ms
9 sl-bb11-rly-4-2.sprintlink.net (144.232.7.181) 56 ms 56 ms 56 ms
10 sl-bb1-dc-11-0-0.sprintlink.net (144.232.7.134) 57 ms 57 ms 59 ms
11 gip-dc-3-fddi0-0.gip.net (204.59.144.197) 57 ms 59 ms 58 ms
12 204.59.225.94 (204.59.225.94) 688 ms 643 ms 645 ms
13 200.0.148.11 (200.0.148.11) 723 ms 652 ms 771 ms
14 206.49.41.34 (206.49.41.34) 749 ms 958 ms 760 ms
=============================================================================

This shows the last "hop" on the network to get to this system is from
the address 200.0.148.11. We will now look this network up:

=============================================================================
saul10% whois.arin 200.0.148.11
TELEMULTIMEDIA S.A. (NETBLK-CYBERNET-CHILE)
Jorge Matte 2098
Providencia
Santiago - Chile

Netname: CYBERNET-CHILE
Netblock: 200.0.148.0 - 200.0.149.0

Coordinator:
Abuauad, Cesar (CA105-ARIN) cybernet@REUNA.CL
56-2-2047081

Record last updated on 17-Apr-95.
Database last updated on 21-Aug-98 16:14:30 EDT.

The ARIN Registration Services Host contains ONLY Internet
Network Information: Networks, ASN's, and related POC's.
Please use the whois server at rs.internic.net for DOMAIN related
Information and nic.ddn.mil for MILNET Information.
=============================================================================

Either way, you now send your report to Cesar Abuauad in Chile, but you
get the following back a little while later:

=============================================================================
Reply-to: Postmaster <postmaster@huelen.reuna.cl>
From: Mail Delivery System <Mailer-Daemon@reuna.cl>
To: user@site.being.hacked
Subject: Mail delivery failed: returning message to sender
Date: Thu, 20 Aug 1998 19:51:14 -0400

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to all of its recipients. The
following address(es) failed:

cybernet@REUNA.CL:
unknown local-part "cybernet" in domain "reuna.cl"

...
=============================================================================

The address is not valid. Great.

The next step would be to go upstream one more level and see who manages
*that* network and report to them (and asking them to convince the
downstream to update their contact records as well). The next hop up
the route was 204.59.225.94:

=============================================================================
...
10 sl-bb1-dc-11-0-0.sprintlink.net (144.232.7.134) 57 ms 57 ms 59 ms
11 gip-dc-3-fddi0-0.gip.net (204.59.144.197) 57 ms 59 ms 58 ms
12 204.59.225.94 (204.59.225.94) 688 ms 643 ms 645 ms
13 200.0.148.11 (200.0.148.11) 723 ms 652 ms 771 ms
...
=============================================================================

Trying this network address returns:

=============================================================================
Sprint International (NETBLK-SI-CIDR-1)
12490 Sunrise Valley Drive
Reston, VA 22096

Netname: SI-CIDR-1
Netblock: 204.59.0.0 - 204.59.255.0
Maintainer: SPRN

Coordinator:
Administration, Dns (DA74-ARIN) dns-admin@GIP.NET
(703)689-6300

Domain System inverse mapping provided by:

NS1.GIP.NET 204.59.144.222
NS2.GIP.NET 204.59.1.222
NS3.GIP.NET 204.59.64.222

Record last updated on 16-Jun-98.
Database last updated on 21-Aug-98 16:14:30 EDT.

The ARIN Registration Services Host contains ONLY Internet
Network Information: Networks, ASN's, and related POC's.
Please use the whois server at rs.internic.net for DOMAIN related
Information and nic.ddn.mil for MILNET Information.
=============================================================================

You might then contact "dns-admin@gip.net" to see if they can get you in
contact with the end network, or try looking them up to get more contact
information on GIP.NET:

=============================================================================
saul10% whois.arin gip.net
No match for "GIP.NET".

%%%%%%%%%%%%%%%%%%% NO MATCH TIP %%%%%%%%%%%%%%%%%%%%%%%%
% %
% ALL OF THE POINT OF CONTACT HANDLES IN THE ARIN %
% WHOIS END WITH "-ARIN", IF YOU ARE QUERYING A POINT %
% OF CONTACT HANDLE PLEASE ADD -ARIN TO YOUR QUERY. %
% %
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

The ARIN Registration Services Host contains ONLY Internet
Network Information: Networks, ASN's, and related POC's.
Please use the whois server at rs.internic.net for DOMAIN related
Information and nic.ddn.mil for MILNET Information.
=============================================================================

No record in the ARIN database this time. Let's try the default:

=============================================================================
saul10% whois gip.net

Registrant:
Global One Communications L.L.C. (GIP3-DOM)
12490 Sunrise Valley Dr.
Reston, VA 22096

Domain Name: GIP.NET

Administrative Contact, Technical Contact, Zone Contact:
Administration, DNS (DA973) dns-admin@GIP.NET
(703)689-6300
Billing Contact:
International, Sprint (SI53) billing@GSL.NET
703 689-6000

Record last updated on 15-Jun-98.
Record created on 28-Jun-96.
Database last updated on 21-Aug-98 04:19:24 EDT.

Domain servers in listed order:

NS1.GIP.NET 204.59.144.222
NS2.GIP.NET 204.59.1.222
NS3.GIP.NET 204.59.64.222

The InterNIC Registration Services database contains ONLY
non-military and non-US Government Domains and contacts.
Other associated whois servers:
American Registry for Internet Numbers - whois.arin.net
European IP Address Allocations - whois.ripe.net
Asia Pacific IP Address Allocations - whois.apnic.net
US Military - whois.nic.mil
US Government - whois.nic.gov
=============================================================================

This time we do find an answer. Now you have another address to send
the report to, "billing@GSL.NET". These may or may not go to the right
people, so you may have to try several times to eventually get the
report to the right place.

The tactics are the same in all cases:

1). If you can identify the domain directly, try to search for contacts
using that domain.

2). If you can't identify the site contacts by domain name, try to
identify them by network address.

3). If you aren't finding anything in one whois database, try another
one. Pay attention to the alternate server names and comments that the
server's return. Use the ISO country codes helps you guess which server
you should query.

4). If you can't find a contact for the end site, use "traceroute" and
walk up the network provider chain until you do find someone who can get
the report to the right place.

5). If all else fails (and you are a UW faculty/staff/student), send
email to nic@cac.washington.edu and let the experts' fingers do the
walking.

Appendix A.

The following is a list of whois databases, using C shell aliases to define
a command for each, useful for checking for domain contact information.
A suggested order for alternatives (if the main InterNIC database does not
contain records) is: ARIN (US and some other countries), RIPE (Europe),
and APNIC (Asia/Pacific region).

alias whois.arin 'whois -h whois.arin.net'
alias whois.us 'whois -h rs.internic.net'
alias whois.us.new 'whois -h whois.internic.net'
alias whois.ddn 'whois -h nic.ddn.mil'
alias whois.ra 'whois -h whois.ra.net'
alias whois.australia 'whois -h archie.au'
alias whois.ripe 'whois -h whois.ripe.net'
alias whois.japan 'whois -h whois.nic.ad.jp'
alias whois.italy 'whois -h whois.nis.garr.it'
alias whois.sweden 'whois -h whois.sunet.se'
alias whois.lac 'whois -h whois.lac.net'
alias whois.apnic 'whois -h whois.apnic.net'
alias whois.mil 'whois -h whois.nic.mil'
alias whois.eu 'whois -h whois.eu.org'
alias whois.finland 'whois -h whois.funet.fi'
alias whois.uk 'whois -h whois.nic.uk'

NOTE: These server hosts are subject to change and unavailability.