FW log help please

Discussion in 'other firewalls' started by CloneRanger, Sep 30, 2010.

Thread Status:
Not open for further replies.
  1. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Checking my FW logs i noticed an IP i though might be, err dodgy ;) It seemed similar to ones i'd seen before, so i looked it up. I've removed all the IP's and info as it might not be wise to post them :p

    dod.gif

    Why is it that it says it can't etc, when the info was shown, also why did i see a different IP # at the bottom ? When i looked up the bottom IP i saw the top IP at the bottom ?

    Interestingly the first IP was to a "normal innocent" looking Large internet backbone data center, the second was a Lot more dodgy, i'll say no more about that :eek:
     
  2. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Without the IP address or something more specific from the log, it's not possible to answer your question. If you're concerned about posting the entire IP, post the first 3 octets and not the last one.
     
  3. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Normally i get hundreds, if not more, of probes from all over the world every day, as i'm sure many others do to. All the previous time online, and today, several hours each, my FW inbound logs were/are unusually Extremely quiet. Except for less than about 25 today so far, and only 13 before !

    I've discovered something Very interesting, to say the least :eek:

    AS i noted, some IP #'s i searched for returned a different IP # at the bottom. What i noticed was ALL the bottom IP's were an exact reverse of the top ones ? Like this,

    65.175.38.194
    194.38.175.65

    So i set about looking up ALL those IP #'s at the bottom.

    EVERY one of them returned Dodgy IP/Names, and i don't mean pron or malware etc. Now if just a couple of the reversals showed that i'd put it down to coincidence, but not when ALL of them did, and on different occasions after several hours offline with the comp etc Totally shutdown and Everything switched off at the mains inbetween sessions. And i have a dynamic IP not static.

    So what can this mean ? I think i have a good idea, but of course i can't prove it. I don't worry about it, find it amusing actually, but it has/is happening.

    It might be enlightening for others to do the simple reversal test and see what they discover :D

    *

    @ noone_particular

    Hi and thanks for posting :thumb:

    Unfortunately i don't feel it's wise to post even the first 3 octets publically.

    I was curious to know why some of the IP #'s i search for return a different IP # at the bottom ? Also that even though it sometimes says No Name, Can't get a Record etc, it did/does show lots of info, not always but sometimes.
     
  4. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    That is just a reverse DNS lookup.

    A simple explanation.
    When you attempt to connect to a website, for example this forum, a standard DNS query will be made for "A www.wilderssecurity.com". Your DNS server will then respond with the IP-> 65.175.38.194.
    A reverse DNS lookup is the actual reverse, in where the IP is known but you want the actual website name, so a standard (reverse DNS) query (for wilders) would be "PTR 194.38.175.65.in-addr.arpa"(<-note the IP is reversed) which would return the name of Wilderssecurity.com.


    So what you are seeing on your search result is first a check on the IP for any info available, then at the bottom is a reverse DNS lookup to see if there is a domain/website name for the IP.


    - Stem
     
  5. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ Stem

    Thank you for replying, i was hoping you would :thumb:

    I had heard of reverse DNS but wasn't sure what it meant, but i do now ;)

    So the fact that ALL those "innocent looking" first IP #'s turn into VERY dodgy ones when reversed, means that the first ones are Actually linked/operated etc by the dodgy ones :eek: I see no other possible explanation, unless i've misunderstood something/s ?

    If i havn't misunderstood, then i know what that means :D
     
  6. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Ignore the IP that is reversed. That is just the way the reverse DNS request is made.

    Some info, http://en.wikipedia.org/wiki/Reverse_DNS_lookup



    - Stem
     
  7. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    This is a standard DNS request:-

    01.png

    This is the reverse DNS lookup:-

    02.png


    - Stem
     
  8. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    I wish i could !

    Thanks i get the "standard DNS request, reverse DNS lookup" now.

    Please see my PM ;)
     
  9. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Dont make a reverse DNS lookup of the reversed IP, it will just give you an headache and may make you concerned when not needed.


    - Stem
     
    Last edited: Oct 1, 2010
  10. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    When I find a "doggie" site is just place that in my permanent block list in PeerBlock. It's easy to do and reduces FUD. Users can block whole countries if they want.
     
  11. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ Escalader

    Hi,

    I wasn't seeing "doggie" sites :D or puszy ones ;) etc, but Dodgy ones ! Can't say too much, but they are not the ones you would want probing you ;)

    Thanks i'm aware of PeerBlock etc, but it's not a case of me being prevented from going there, which i don't, rather them trying to come in my comp :eek:

    *

    Stem was able to explain things to me :thumb: which appeared confusing at first, but he's the expert so i listened :)
     
  12. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses

    Right! That is my go to guy as well:thumb:
     
  13. stackz

    stackz Registered Member

    Joined:
    Dec 27, 2007
    Posts:
    619
    Location:
    Sydney Australia
    Juts look up Host byte order vs Network byte order.
     
  14. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    1 - How would i do that ?

    2 - What would it show/tell me ?

    TIA
     
Loading...
Thread Status:
Not open for further replies.