Post published in social media
<< Back to posts

What is this strange ip, so how to investigate them?

Did you ever wonder when looking at your connections table, what an IP address might be connected to? Here are some tips for investigating those mysterious IPs.

$ ss -npt # numbers (IP numbers only), Process names, TCP connections only
State        Recv-Q        Send-Q               Local Address:Port                    Peer Address:Port               Process                                               
ESTAB        0             0                     192.168.0.33:33858                     31.13.84.9:https               users:(("chrome",pid=48824,fd=57))                   
(...)

When you notice Chrome connecting to an unknown IP to me, dig into it with dig -x:

$ dig -x 31.13.84.9
(...)
;; ANSWER SECTION:
9.84.13.31.in-addr.arpa. 1333   IN  PTR edge-dgw-shv-01-vie1.facebook.com.

So, it turns out someone was browsing Facebook during work hours. Quite a questionable feat indeed!

Now, let's consider an IP connected by the ipfs peer-to-peer daemon:

$ dig -x 91.120.156.112
(...)
112.156.120.91.in-addr.arpa. 86400 IN   PTR 5B789C70.dsl.pool.telekom.hu.

If it's still unclear where this IP belongs, use whois to uncover more details:

$ whois 91.120.156.112
(...)
descr:          Magyar Telekom customers using dynamic IP
descr:          xDSL/GPON access

This suggests the connection isn't from a dedicated hosting service but rather belongs to someone with a Telecom internet connection.

More info about WHOIS: https://en.wikipedia.org/wiki/WHOIS