Latest LQ Deal: Linux Power User Bundle
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 08-14-2008, 10:40 AM   #1
Registered: Aug 2003
Location: Slovenia
Distribution: Arch, Debian, Embedded
Posts: 136

Rep: Reputation: 15
Reverse DNS lookup fails

Hey. I know this isn't exactly linux-related, but I'd like to ask something about a possible hack attempt. Recently I checked my apache2 httpd logs and found multiple entries of this strange IP address scanning my webserver for vulnerabilities. While I can't say they found any holes as I regularly update my software, I was curious to see who it was. I did a reverse DNS lookup on the IP in question, but the lookup failed. I've tried multiple reverse-DNS-lookup websites and they were all unable to resolve the IP. I know the IP is valid since it appears in the logs, but why can it not be resolved to a hostname?

Here's a piece from the logs.
Quote: - - [13/Aug/2008:02:53:12 +0200] "GET /sql/db/main.php HTTP/1.0" 404 277 - - [13/Aug/2008:02:53:13 +0200] "GET /sql/web/main.php HTTP/1.0" 404 278 - - [13/Aug/2008:02:53:13 +0200] "GET /sql/pMA/main.php HTTP/1.0" 404 278 - - [13/Aug/2008:02:53:13 +0200] "GET /sql/admin/main.php HTTP/1.0" 404 280 - - [13/Aug/2008:02:53:14 +0200] "GET /sql/main.php HTTP/1.0" 404 274 - - [13/Aug/2008:02:53:14 +0200] "GET /sql/dbadmin/main.php HTTP/1.0" 404 282 - - [13/Aug/2008:02:53:15 +0200] "GET /sql/pMA2006/main.php HTTP/1.0" 404 282 - - [13/Aug/2008:02:53:15 +0200] "GET /sql/pma2006/main.php HTTP/1.0" 404 282 - - [13/Aug/2008:02:53:15 +0200] "GET /sql/sqlmanager/main.php HTTP/1.0" 404 285 - - [13/Aug/2008:02:53:16 +0200] "GET /sql/sqlmanager/main.php HTTP/1.0" 404 285 - - [13/Aug/2008:02:53:16 +0200] "GET /sql/p/m/a/main.php HTTP/1.0" 404 280
Old 08-14-2008, 12:08 PM   #2
LQ Guru
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,563
Blog Entries: 15

Rep: Reputation: 1504Reputation: 1504Reputation: 1504Reputation: 1504Reputation: 1504Reputation: 1504Reputation: 1504Reputation: 1504Reputation: 1504Reputation: 1504Reputation: 1504
There is no requirement that IP addresses be tied to names. This is done for convenience. Computers would work just fine using only IP addresses but we humans would have a hard time remember IPs for everything we want to use so we assign names.

We use DNS to find the names when we don't know them but it requires that someone registered the name and published its association with the IP address. Sometimes you don't want people knowing what your systems are for legitimate purposes. Sometimes you don't want them knowing because you're a hacker and are doing something bad.

There are sites that will approximate the IP address' geographic location. If you see it is coming out of some exotic foreign land (e.g. Russia) you probably just want to blacklist the address so it doesn't do any queries.
Old 08-14-2008, 12:37 PM   #3
Registered: Aug 2003
Location: Slovenia
Distribution: Arch, Debian, Embedded
Posts: 136

Original Poster
Rep: Reputation: 15
Yeah, thanks for the summary. This IP seems to originate from Rotterdam, NL. Seeing that the IP had no hostname made me a little paranoid, thinking that I'm being hacked by the feds or something

edit: How hard is it to figure out the ISP of such IP address?

Last edited by <Ol>Origy; 08-14-2008 at 12:41 PM.
Old 08-14-2008, 12:48 PM   #4
Senior Member
Registered: Dec 2004
Location: Olympia, WA, USA
Distribution: Fedora, (K)Ubuntu
Posts: 4,186

Rep: Reputation: 347Reputation: 347Reputation: 347Reputation: 347
$ whois
<redacted - copyrighted material>
Oops! I posted before I read the copyright notice. Sorry - just run the command to see the output.

Last edited by PTrenholme; 08-14-2008 at 12:56 PM. Reason: Removed copyrighted meterial.


dns, resolve, reverse

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
how do i perform an reverse dns lookup? HyperTrey Linux - Networking 4 05-23-2008 09:48 AM
Reverse DNS Lookup Slow...Sometimes residentninja Linux - Networking 0 11-19-2007 12:03 PM
reverse DNS lookup mimithebrain Linux - Networking 5 06-08-2006 09:28 AM
Reverse lookup of local computer's external IP fails ichi Linux - Networking 7 04-08-2005 06:37 PM
reverse DNS lookup phil1076 Linux - General 1 01-22-2002 04:24 PM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:01 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration