Real World Linux Security Prentice Hall Ptr Open Source Technology Series

20.1 Tracing a Numeric IP Address with nslookup

Usually, all that your system's logs and other messages regarding a break-in will reveal of the intruder is the numeric IP (Internet Protocol) address of the system that he used. (Also, they may show a system name and a user name.) Fortunately, finding out about this system is easy. To get the fully qualified host name for numeric address b1.b2.b3.b4 issue the command

nslookup -type=any b4.b3.b2.b1.in-addr.arpa

Note that the order of the bytes of the IP address must be reversed. Suppose the logs show the intruder's IP address is 192.9.25.4. Reverse the order of the bytes to get 4.25.9.192. Then issue the command

nslookup -type=any 4.25.9.192.in-addr.arpa

You will see output similar to

Server: mindspring.com Address: 207.69.200.201 4.25.9.192.in-addr.arpa name = pluto.Sun.COM

The name to the left of the .COM is the domain name, Sun.