LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 08-14-2008, 10:40 AM   #1
<Ol>Origy
Member
 
Registered: Aug 2003
Location: Slovenia
Distribution: Arch, Debian, Embedded
Posts: 136

Rep: Reputation: 15
Reverse DNS lookup fails


Hey. I know this isn't exactly linux-related, but I'd like to ask something about a possible hack attempt. Recently I checked my apache2 httpd logs and found multiple entries of this strange IP address scanning my webserver for vulnerabilities. While I can't say they found any holes as I regularly update my software, I was curious to see who it was. I did a reverse DNS lookup on the IP in question, but the lookup failed. I've tried multiple reverse-DNS-lookup websites and they were all unable to resolve the IP. I know the IP is valid since it appears in the logs, but why can it not be resolved to a hostname?

Here's a piece from the logs.
Quote:
212.83.247.74 - - [13/Aug/2008:02:53:12 +0200] "GET /sql/db/main.php HTTP/1.0" 404 277
212.83.247.74 - - [13/Aug/2008:02:53:13 +0200] "GET /sql/web/main.php HTTP/1.0" 404 278
212.83.247.74 - - [13/Aug/2008:02:53:13 +0200] "GET /sql/pMA/main.php HTTP/1.0" 404 278
212.83.247.74 - - [13/Aug/2008:02:53:13 +0200] "GET /sql/admin/main.php HTTP/1.0" 404 280
212.83.247.74 - - [13/Aug/2008:02:53:14 +0200] "GET /sql/main.php HTTP/1.0" 404 274
212.83.247.74 - - [13/Aug/2008:02:53:14 +0200] "GET /sql/dbadmin/main.php HTTP/1.0" 404 282
212.83.247.74 - - [13/Aug/2008:02:53:15 +0200] "GET /sql/pMA2006/main.php HTTP/1.0" 404 282
212.83.247.74 - - [13/Aug/2008:02:53:15 +0200] "GET /sql/pma2006/main.php HTTP/1.0" 404 282
212.83.247.74 - - [13/Aug/2008:02:53:15 +0200] "GET /sql/sqlmanager/main.php HTTP/1.0" 404 285
212.83.247.74 - - [13/Aug/2008:02:53:16 +0200] "GET /sql/sqlmanager/main.php HTTP/1.0" 404 285
212.83.247.74 - - [13/Aug/2008:02:53:16 +0200] "GET /sql/p/m/a/main.php HTTP/1.0" 404 280
 
Old 08-14-2008, 12:08 PM   #2
MensaWater
Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 6,026
Blog Entries: 5

Rep: Reputation: 789Reputation: 789Reputation: 789Reputation: 789Reputation: 789Reputation: 789Reputation: 789
There is no requirement that IP addresses be tied to names. This is done for convenience. Computers would work just fine using only IP addresses but we humans would have a hard time remember IPs for everything we want to use so we assign names.

We use DNS to find the names when we don't know them but it requires that someone registered the name and published its association with the IP address. Sometimes you don't want people knowing what your systems are for legitimate purposes. Sometimes you don't want them knowing because you're a hacker and are doing something bad.

There are sites that will approximate the IP address' geographic location. If you see it is coming out of some exotic foreign land (e.g. Russia) you probably just want to blacklist the address so it doesn't do any queries.
 
Old 08-14-2008, 12:37 PM   #3
<Ol>Origy
Member
 
Registered: Aug 2003
Location: Slovenia
Distribution: Arch, Debian, Embedded
Posts: 136

Original Poster
Rep: Reputation: 15
Yeah, thanks for the summary. This IP seems to originate from Rotterdam, NL. Seeing that the IP had no hostname made me a little paranoid, thinking that I'm being hacked by the feds or something

edit: How hard is it to figure out the ISP of such IP address?

Last edited by <Ol>Origy; 08-14-2008 at 12:41 PM.
 
Old 08-14-2008, 12:48 PM   #4
PTrenholme
Senior Member
 
Registered: Dec 2004
Location: Olympia, WA, USA
Distribution: Fedora, (K)Ubuntu
Posts: 4,153

Rep: Reputation: 331Reputation: 331Reputation: 331Reputation: 331
Code:
$ whois 212.83.247.74
[Querying whois.ripe.net]
[whois.ripe.net]
<redacted - copyrighted material>
<edit>
Oops! I posted before I read the copyright notice. Sorry - just run the command to see the output.
</edit>

Last edited by PTrenholme; 08-14-2008 at 12:56 PM. Reason: Removed copyrighted meterial.
 
  


Reply

Tags
dns, resolve, reverse


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
how do i perform an reverse dns lookup? HyperTrey Linux - Networking 4 05-23-2008 09:48 AM
Reverse DNS Lookup Slow...Sometimes residentninja Linux - Networking 0 11-19-2007 12:03 PM
reverse DNS lookup mimithebrain Linux - Networking 5 06-08-2006 09:28 AM
Reverse lookup of local computer's external IP fails ichi Linux - Networking 7 04-08-2005 06:37 PM
reverse DNS lookup phil1076 Linux - General 1 01-22-2002 04:24 PM


All times are GMT -5. The time now is 09:06 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration