Can you trace an IP address?

PJTX100 · 04-06-2006, 8:23 PM

For all you computer geniuses out there...

It looks as if someone has been running some sort of hacking script today on a server I help to look after because it's tried 15000 times unsuccessfully to find a valid user account and password. I have an IP address of the source but nothing else.

Is there much I can find out about the perpetrator from an IP address?

Reign-Mack · 04-06-2006, 8:27 PM

http://www.dnsstuff.com/

Nick_UK · 04-06-2006, 8:28 PM

You need a "Whois" lookup. The one I use is the one on the Demon Tools Pages but there are lots of others.

The IP address could lead to you a block held by a major ISP, in which case you would have to lodge a complaint with the ISP, giving details of the transgressions and times that they occurred.

Seth Gecko · 04-06-2006, 8:29 PM

I use Visual Route personally - but there's several programs out there.

Digger · 04-06-2006, 8:31 PM

If there is not one, consider getting a hardware firewall to trap and log ports targeted. Contact the isp and get them involved assuming its a business thats being targeted...probably nothing they can do though.

PJTX100 · 04-06-2006, 8:34 PM

Thanks everyone. Looks like it originated in the US. My money was on eastern block.

Dom996 · 04-06-2006, 9:19 PM

Very difficult to trace on two (and more) levels:

One: ISPs need to be competititive so don't really want to annoy customers. Oh of course that is unless they are caning bandwidth!!

Two: Many IPs are still dynamic, ie. change on a regular basis, and let's not go into proxies.....

Knyght_byte · 04-06-2006, 10:05 PM

used to use a ping tool years ago, was amazingly effecient at getting thru things.....sadly it was only a 15 day demo.......was quite effective as it basically ignored firewalls etc and could locate the area easily......it couldnt give you any more information tho......that was the downside.....cant remember what it was called, not sure how it would stand up to more recent network/ISP setups tho, this was about 3 years ago....

Ian J · 05-06-2006, 5:56 AM

Quote:

Originally Posted by Dom996

let's not go into proxies.....

Especially on AV Forums eh Dom

Ethics Gradient · 05-06-2006, 9:52 AM

Quote:

Originally Posted by PJTX100

Thanks everyone. Looks like it originated in the US. My money was on eastern block.

there is no guarantee that it isn't.

You are only seeing the traces between the box he is trying to connect to you from to you ... ie the packet routing between machine X on the internet and your box.
Unless the guy / girl is a complete divey, it would be unlikely that the machine in question is his.( although don't rule it out as there are plenty of fools out there )

You will not however know what connections he has made to get to the box that is being used to 'attack' your machine.

He could be absolutley anywhere - as he may have a legit or hacked shell account on one of many boxes.
Most people would log in through an inet cafe into a shell account on a server - then run a script from there ..... with no trail back to themselves.
The only thing you can hope for is that the machine / account that is being used is closed down.
Contanct the domain administrator for what ever machine is causing you trouble - be it an ISP / Business etc and give them the details and hope they look into it for you.
You could also block that address on your routers to just ignore the connection, set up .allow / .deny etc files for what ever services are available on your machine ... ie allow or deny specific IP ranges / domains etc from connecting to your machine.

PJTX100 · 05-06-2006, 10:16 AM

Quote:

Originally Posted by Ethics Gradient

You could also block that address on your routers to just ignore the connection, set up .allow / .deny etc files for what ever services are available on your machine ... ie allow or deny specific IP ranges / domains etc from connecting to your machine.

Thanks, that sounds like a good idea, I'll look into it.

PJTX100 · 05-06-2006, 10:19 AM

As a general question about this sort of attack, does this scale of attack happen all the time to servers connected to the internet?

I'm just trying to establish whether this is "par for the course" or something more systematic.

Ethics Gradient · 05-06-2006, 10:54 AM

Quote:

Originally Posted by PJTX100

As a general question about this sort of attack, does this scale of attack happen all the time to servers connected to the internet?

I'm just trying to establish whether this is "par for the course" or something more systematic.

yes - people uses scripts on vast ranges of IP's looking for machines that are directly connected / have a redirect to them ... then see if they get a response to validate the operating system ... then start port scanning and log the results.
Then when they find ports that respond with a prompt / login - they try to either brute force ( dictionary type crack ) or look for things like a mail server running an older version with a known bug and try to break it dropping them into root for example.

--- then there are the focused attacks - ex employees, friends, pressure groups, people with grudges etc that target directly. These are where you would see DoS attacks etc.

Chris Muriel · 05-06-2006, 1:44 PM

Indeed. If you have a router/firewall have a look at the logs and be afraid!
(Although many of the events will actually be quite legit and harmless).

Chris Muriel, Manchester

Dom996 · 05-06-2006, 9:20 PM

Quote:

Originally Posted by Ian J

Especially on AV Forums eh Dom

Ah, Ian it will surprise you to know that I have been moderating another forum, hence why I have been quiet on here for a while. It is hard work and I appreciate what you guys do.