FW log help please

Checking my FW logs i noticed an IP i though might be, err dodgy It seemed similar to ones i'd seen before, so i looked it up. I've removed all the IP's and info as it might not be wise to post them



Why is it that it says it can't etc, when the info was shown, also why did i see a different IP # at the bottom ? When i looked up the bottom IP i saw the top IP at the bottom ?

Interestingly the first IP was to a "normal innocent" looking Large internet backbone data center, the second was a Lot more dodgy, i'll say no more about that

 

Without the IP address or something more specific from the log, it's not possible to answer your question. If you're concerned about posting the entire IP, post the first 3 octets and not the last one.

 

Normally i get hundreds, if not more, of probes from all over the world every day, as i'm sure many others do to. All the previous time online, and today, several hours each, my FW inbound logs were/are unusually Extremely quiet. Except for less than about 25 today so far, and only 13 before !

I've discovered something Very interesting, to say the least

AS i noted, some IP #'s i searched for returned a different IP # at the bottom. What i noticed was ALL the bottom IP's were an exact reverse of the top ones ? Like this,

65.175.38.194
194.38.175.65

So i set about looking up ALL those IP #'s at the bottom.

EVERY one of them returned Dodgy IP/Names, and i don't mean pron or malware etc. Now if just a couple of the reversals showed that i'd put it down to coincidence, but not when ALL of them did, and on different occasions after several hours offline with the comp etc Totally shutdown and Everything switched off at the mains inbetween sessions. And i have a dynamic IP not static.

So what can this mean ? I think i have a good idea, but of course i can't prove it. I don't worry about it, find it amusing actually, but it has/is happening.

It might be enlightening for others to do the simple reversal test and see what they discover

*

@ noone_particular

Hi and thanks for posting

Unfortunately i don't feel it's wise to post even the first 3 octets publically.

I was curious to know why some of the IP #'s i search for return a different IP # at the bottom ? Also that even though it sometimes says No Name, Can't get a Record etc, it did/does show lots of info, not always but sometimes.

 

That is just a reverse DNS lookup.

A simple explanation.
When you attempt to connect to a website, for example this forum, a standard DNS query will be made for "A www.wilderssecurity.com". Your DNS server will then respond with the IP-> 65.175.38.194.
A reverse DNS lookup is the actual reverse, in where the IP is known but you want the actual website name, so a standard (reverse DNS) query (for wilders) would be "PTR 194.38.175.65.in-addr.arpa"(<-note the IP is reversed) which would return the name of Wilderssecurity.com.


So what you are seeing on your search result is first a check on the IP for any info available, then at the bottom is a reverse DNS lookup to see if there is a domain/website name for the IP.


- Stem

 

@ Stem

Thank you for replying, i was hoping you would

I had heard of reverse DNS but wasn't sure what it meant, but i do now

So the fact that ALL those "innocent looking" first IP #'s turn into VERY dodgy ones when reversed, means that the first ones are Actually linked/operated etc by the dodgy ones I see no other possible explanation, unless i've misunderstood something/s ?

If i havn't misunderstood, then i know what that means

 

Ignore the IP that is reversed. That is just the way the reverse DNS request is made.

Some info, http://en.wikipedia.org/wiki/Reverse_DNS_lookup



- Stem

 

This is a standard DNS request:-



This is the reverse DNS lookup:-




- Stem

 

I wish i could !

Thanks i get the "standard DNS request, reverse DNS lookup" now.

Please see my PM

 

Dont make a reverse DNS lookup of the reversed IP, it will just give you an headache and may make you concerned when not needed.


- Stem

 

When I find a "doggie" site is just place that in my permanent block list in PeerBlock. It's easy to do and reduces FUD. Users can block whole countries if they want.

 

@ Escalader

Hi,

I wasn't seeing "doggie" sites or puszy ones etc, but Dodgy ones ! Can't say too much, but they are not the ones you would want probing you

Thanks i'm aware of PeerBlock etc, but it's not a case of me being prevented from going there, which i don't, rather them trying to come in my comp

*

Stem was able to explain things to me which appeared confusing at first, but he's the expert so i listened

 

Right! That is my go to guy as well

 

Juts look up Host byte order vs Network byte order.

 

1 - How would i do that ?

2 - What would it show/tell me ?

TIA