32

We were contacted by our ISP saying that one of our servers was issuing an attack on another computer.

May 23 14:11:35 wdc lfd[14308]: *Port Scan* detected from ***.***.***.***
(US/United States/-). 11 hits in the last 245 seconds - *Blocked in csf* for
3600 secs [PS_LIMIT]

I don't know what it means, but our server is a factory image, with only a couple programs running.

I would like to know the domain, but don't know how to look it up.

Improve this question

7 Answers 7

Reset to default
32

Use nslookup

For example, let's find the domain for 207.46.19.254

C:\>nslookup -type=PTR 254.19.46.207.in-addr.arpa   
Non-authoritative answer:                                                   
254.19.46.207.in-addr.arpa      name = wwwbaytest2.microsoft.com

Note that you reverse the order of the four numbers and append .in-addr.arpa

Remember that an IP-address may have multiple domains, and that the administrators do not always (but mostly should) set up the reverse mappings in DNS.

Improve this answer
1
15

Two things you can do. One is reverse DNS lookup.

dig -x x.x.x.x

You can also use geoiplookup to find the general area of the source.

Improve this answer
4

Wouldn't the ping -a command also work?

That is, ping -a insert IP address here. It's not always successful though, but it's likely the easiest method.

Improve this answer
2

Both of following commands is OK!

208.97.177.124 => apache2-argon.william-floyd.dreamhost.com

nslookup -type=PTR 208.97.177.124 in-addr.arpa

nslookup -type=PTR 208.97.177.124

nslookup 208.97.177.124

Howerver, This command is NOT right!

208.97.177.124 => CPE-124-177-97-208.lns6.cha.bigpond.net.au

nslookup -type=PTR 208.97.177.124.in-addr.arpa

Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

G:\JavaScript Testing>nslookup -type=PTR 208.97.177.124.in-addr.arpa
Server:  phicomm.me
Address:  192.168.2.1

Non-authoritative answer:
208.97.177.124.in-addr.arpa     name = CPE-124-177-97-208.lns6.cha.bigpond.net.au

G:\JavaScript Testing>nslookup -type=PTR 208.97.177.124
Server:  phicomm.me
Address:  192.168.2.1

Non-authoritative answer:
124.177.97.208.in-addr.arpa     name = apache2-argon.william-floyd.dreamhost.com

G:\JavaScript Testing>nslookup -type=PTR 208.97.177.124 in-addr.arpa
*** Can't find server address for 'in-addr.arpa':
Server:  phicomm.me
Address:  192.168.2.1

Non-authoritative answer:
124.177.97.208.in-addr.arpa     name = apache2-argon.william-floyd.dreamhost.com

G:\JavaScript Testing>

reference links:

https://ist.mit.edu/network/ip

Improve this answer
1
1

ARIN WHOIS is probably the default goto for resolving IPs to the registered names, although I use SANS often also. The search box on both sites is in the upper right corner.
This will only resolve domain names on the internet, not internal domain names you may be looking for.

Improve this answer
3
  • I think you meant to pop that comment next to my answer about how the issue could be with any computer behind a NAT router - but now that you have said that NAT's not involved, I've deleted my answer. Hope you manage to track down this issue.
    – Linker3000
    Commented May 23, 2011 at 19:05
  • Ah - you've now moved your remark next to my deleted answer!!! I think we're playing cat and mouse!!! I'll leave my comments though so that everyone sees that NAT is not involved.
    – Linker3000
    Commented May 23, 2011 at 19:07
  • If you have the WAN IP address from your ISP does this not relate to a specific server?
    – Linker3000
    Commented May 23, 2011 at 19:10
0

A whois from the command line gets me quite a lot of information, or you can always try a Network Lookup or Whois at www.nwtools.com

Improve this answer
0

you can also use the host command (tested on Linux): host -a 1.2.3.4

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .