Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Publishing Nimda Logs

From: "Laurence Brockman" <laurence () fluxinc com>
Date: Wed, 8 May 2002 07:09:57 -0600
Whois works great. Try the following:

whois -h whois.arin.net x.x.x.x

where x.x.x.x is the attacking IP. Or you can visit www.arin.net and look
for the whois link there. Same thing, but through a web interface if you
don't have access to a unix box.

Laurence

----- Original Message -----
From: "ash" <ashcrow () phreaker net>
To: "Laurence Brockman" <laurence () fluxinc com>
Cc: <vuln-dev () securityfocus com>
Sent: Tuesday, May 07, 2002 10:59 PM
Subject: Re: Publishing Nimda Logs



Ah, thanks for clearing that up. Is there a central place that says who
owns what IP range blocks so  Ican further investigate where attacks
come from (besides whoising each address)?

Ash

Laurence Brockman wrote:


24.x isn't just Road Runner, it's most cable companies. It's Shaw (In
Canada), Rogers (AT&T), Road runner, etc, etc. These blocks were given to
lots of cable ISP's when @Home was big, so sending logs into Road runner

for

any 24.x.x.x IP is useless in most cases (As the majority doesn't belong

to

them).

Laurence
Previous By Date Next
Previous By Thread Next

Current thread: