Section 20.5 Finding a G-Man: Looking Up .gov Systems

Previous page
Table of content
Next page
   

20.5 Finding a G-Man: Looking Up .gov Systems

If the hostname ends in .gov, the site is owned by the U.S. federal government or American Indian Tribe government and the following site may be used for the lookup

www.nic.gov/whois.html

Rather than the !sun that is used by Network Solutions' .com lookups, you would enter the domain name including the .gov.

Suppose that your logs show your system was violated by a system with the numeric IP 204.108.10.231. You then issue the command

 
 nslookup -type=any 231.10.108.204.in-addr.arpa

and see

 
 Server:  mindspring.com Address:  207.69.200.201 Non-authoritative answer: 231.10.108.204.in-addr.arpa    name = www.faa.gov Authoritative answers can be found from: 10.108.204.IN-ADDR.ARPA nameserver = NSB.faa.gov 10.108.204.IN-ADDR.ARPA nameserver = LABYRINTH.faa.gov 10.108.204.IN-ADDR.ARPA nameserver = ENIGMA.faa.gov LABYRINTH.faa.gov       internet address = 207.104.92.2 ENIGMA.faa.gov          internet address = 204.108.10.2

Most likely, a cracker has violated the Federal Aviation Administration. The Non-authoritative answer simply means that a name server (either MindSpring's or one upstream from it) has cached the IP to name record and this has been used rather than the official top-level name server for .gov.

Supply the value faa.gov to the government's lookup service and you should see

 
 Whois Search Results:   [Registration]   Federal Aviation Administration (FAA-DOM)     800 Independence Ave. SW     Washington, DC 20591   [About GSA]     Domain Name: FAA.GOV     Status: ACTIVE     Domain Type: Federal     Technical Contact:       Coronel, Gus X.  (GXC)       (202) 267-7828       GUS.CTR.CORONEL@FAA.GOV     Administrative Contact:       Hayes, Alan  (AH3)       (202) 267-7357       ALAN.HAYES@FAA.DOT.GOV     Domain servers in listed order:     ENIGMA.FAA.GOV               204.108.10.2     LABYRINTH.FAA.GOV            207.104.92.2     CHASSIS7.TGF.TC.FAA.GOV      155.178.206.153     Record last updated on 12-Apr-99.

The technical contact is the one you want to contact.

To trace a U.S. military address use

www.nic.mil/

Remember that the system probably is compromised, so a phone call or overnight postal letter is much preferred over e-mail because the e-mail may be read by the cracker and deleted. The e-mail would serve only to alert the cracker that you are on to him. It is unusual for a System Administrator to be a cracker.

   
Top

Previous page
Table of content
Next page
Real World Linux Security Prentice Hall Ptr Open Source Technology Series
Real World Linux Security Prentice Hall Ptr Open Source Technology Series
ISBN: N/A
EAN: N/A
Year: 2002
Pages: 260
BUY ON AMAZON
Database Modeling with MicrosoftВ® Visio for Enterprise Architects (The Morgan Kaufmann Series in Data Management Systems)
Identifying and Managing Project Risk: Essential Tools for Failure-Proofing Your Project
SQL Hacks
Microsoft Windows Server 2003(c) TCP/IP Protocols and Services (c) Technical Reference
C++ How to Program (5th Edition)
The Lean Six Sigma Pocket Toolbook. A Quick Reference Guide to Nearly 100 Tools for Improving Process Quality, Speed, and Complexity
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy