How to contact the Hacker's ISP

InternetPeriscope enables you to get the name, address, phone number, fax number, and email address of an attempted intruder's Internet Service Provider (ISP). InternetPeriscope's Whois IP address Tool enables you to do this.

In some cases, InternetPeriscope can also get you the name, address, phone number, fax number, and email address of the hacker's employer.

In the figure below, the user is Viewing a History of Intrusion Attempts, Specifically, the user is viewing information on the intrusion attempt from IP address 4.60.103.165. (This is from a real intrusion attempt. Intrusion attempts are a common occurence, and this in no way should be considered a blemish on the reputation of the ISPs mentioned here.)
Intrusions

Note that this hacker attempted to connect to port 111, the SunRPC Portmapper service. As of this writing, many hacker's have been scanning machines for exploits against this service.

First, the user will obtain the hacker's ISP information by clicking on the "Get ISP contact info (arin.net)..." button. The brings up the "Whois (arin.net)" dialog box shown below.
Whois Arin.net

Note that the IP address, 4.60.103.165 has already been filled in for you in the "Search String" box.

Also note that the Registry is set to the "American Registry for Internet Numbers". If it turns out that this intrusion attempt came from Europe or Asia, you will have to select the appropriate registry (InternetPeriscope will let you know if this is necessary).

The user then clicks on the Search button to find the ISP's contact information. Unfortunately, the "American Registry for Internet Numbers" is busy, and displays the following message.
Search Button

The user clicks on the OK button, waits 10 seconds, and then again clicks on the Search button to obtain the following results:
Search Results

Here we see that BBNPlanet is the Maintainer of the hacker's IP address. We also see that it might be a good idea to send an email to genuity.net about this incident. Scrolling down, we see near.net, bbnplanet.com, and barrnet.net also take part in managing the IP address range that contains the hacker's address.
Whois Results

At this point, you would probably want to send email to: abuse@genuity.net, abuse@near.net, abuse@bbnplanet.com, and abuse@barrnet.net, (and any email addresses listed in the whois results), notifying them of the date, your timezone, the hacker's IP address, and the port scanned by the intruder.

If the attack is of great concern, you may wish to find even more contact info for these ISPs, to make sure the relevent people are notified. InternetPeriscope enables you to do this with its Whois (Domain Name) Tool, and by using its DNS features to find the Source of Authority for the domains (genuity.net, near.net, bbnplanet.com, and barrnet.net).

In this case, the user wishes to find more contact information for BBNPlanet, as she feels that they are the best point of contact for this incident. She closes all the open dialogs, and then invokes the "Whois (Domain Name)" dialog box by clicking on the Tools menu, moving her mouse over the "Whois" menu item, and clicking on "Domain Name...", as shown in the figure.
Contact Info

She enters "bbnplanet.com" into the "Search String", and clicks on "Search".
Search

The figure below shows that she now has a few more email addresses and phone numbers she can use to contact the ISP (scroll down to see all of them.)
Email and phones

Going back to the Intrusion History dialog, we see that InternetPeriscope has found a host name, lsanca1-ar20-4-60-103-165.vz.dsl.gtei.net, for the hacker's machine.
Host Name

InternetPeriscope did this by using DNS to look up the PTR Record for the IP address 4.60.103.165. Since InternetPeriscope was able to find the host name, the "Get Domain Contact Info (networksolutions)..." button is enabled. If InternetPeriscope cannot find a host name, this button will be disabled.

The user then clicks on the "Get Domain Contact Info (networksolutions)..." button and the dialog shown below appears.
Domain Name Search

InternetPeriscope has "guessed" that you wish to find contact info for the domain gtei.net (Remember that the host name is: lsanca1-ar20-4-60-103-165.vz.dsl.gtei.net, and that whois is used for looking up Second Level Domain [SLD] Names.)

The user then clicks on the Search button to obtain the following results:
Results

This dialog displays email addresses at bbnplanet.com and gtei.net. In addition to these addresses, the user should also send email to abuse@bbnplanet.com and abuse@gtei.net. Most ISP's maintain an "abuse" address for handling hacker and spam problems.

Using the Whois dialogs to find contact info for ISPs and domains in Europe and Asia requires that the user use a different registry. The reader is referred to the Whois (IP Address) and Whois (Domain Name) documentation.

Problems, Comments, Suggestions? Click here to contact Greg Thatcher

Please read my Disclaimer





Copyright (c) 2013 Thatcher Development Software, LLC. All rights reserved. No claim to original U.S. Gov't works.