IP Address Investigation

PreviousInformation Security Officer Guide NextWHOIS

Last updated 2 months ago

IP Address Investigation

Investigation Steps/Breakdown

1. What is an IP Address?

An IP address (like 141.98.9.152) is a unique identifier for a device or server on the internet. It tells us who owns it, where it’s hosted, and what it’s used for.

Think of it like a house address:

The house number = IP Address (141.98.9.152)
The neighborhood = Network (141.98.9.0/24)
The city/government managing it = Autonomous System (AS209588)

2. What’s the Role of an Autonomous System (AS)?

An Autonomous System (AS) is a large group of IP addresses managed by an internet service provider (ISP) or cloud hosting company.

For 141.98.9.152:

It belongs to AS209588 (FLYSERVERS-ASN).
FLYSERVERS-ASN is the company that controls this block of IPs.
The entire 141.98.9.0/24 network is part of this system.

💡 Think of AS as a postal service (like DHL or FedEx):

It routes internet traffic between different networks.
Multiple IPs are grouped under one AS to keep things organized.

3. WHOIS & Ownership: Who Controls This IP?

WHOIS records store ownership information about IP addresses.

For 141.98.9.152, the owner is:

Alviva Holding Limited
Located in Victoria, Mahé, Seychelles
Network Name: DIGICLOUD-NET
Service Type: VDS & Cloud Services

💡 Think of this like a business registry:

DIGICLOUD-NET is the brand offering virtual cloud servers.
Alviva Holding Ltd is the company managing the business.

🚩 Why is this important?

If the IP is doing something suspicious, this tells who to contact.
Some companies register in offshore locations (like Seychelles) for privacy reasons.

4. Reverse DNS & Forward DNS (How We Link IPs to Websites)

Every website or server can have a name (domain) linked to an IP.

Reverse DNS (PTR Record)

Converts an IP → Hostname (e.g., 141.98.9.152 → example.com)
No Data means there is no known hostname for this IP.

Forward DNS (A Record)

Converts a Hostname → IP (e.g., example.com → 141.98.9.152)
No Data means no domain is directly linked to this IP.

💡 Think of DNS as a phonebook:

Reverse DNS = Finding the name of the caller from their number.
Forward DNS = Finding the number of a person by their name.

🚩 Why is this important?

If an IP has a Reverse DNS name, we know what service it’s hosting.
If it has no Reverse DNS, it’s likely a generic cloud server or a hidden service.

5. Why Does This Matter for Security & Investigations?

If an IP is involved in cybercrime, checking WHOIS and ASN helps track who owns it.
If an IP is sending spam, checking Reverse DNS and network info helps block it.
If an IP is hosting a website, checking DNS records helps link it to a domain.
If an IP is part of a cloud provider, it might be used for VPNs, proxies, or malicious bots.

💡 Example Use Cases:

Investigating Phishing Websites: Check if an IP is linked to scam domains.
Blocking Malicious IPs: If an IP has a bad reputation (spamming, hacking), you can block it.
Tracking Hackers: Knowing an IP’s hosting provider helps in legal investigations.

Final Breakdown

Concept

What It Means

IP Address

A unique identifier for a device on the internet (e.g., 141.98.9.152).

AS (Autonomous System)

A big network of IPs controlled by one company (e.g., AS209588 = Flyservers).

WHOIS

A registry showing who owns the IP (e.g., Alviva Holding Ltd, Seychelles).

Reverse DNS

Converts IP → Domain (e.g., 141.98.9.152 → No Data = No hostname).

Forward DNS

Converts Domain → IP (e.g., example.com → 141.98.9.152).

Services & OS

Shows active services (e.g., web servers, email) – but here it shows 0 detected services.

Geolocation

IPs are registered in Seychelles, but might be physically hosted elsewhere (e.g., Netherlands).

IP Address Investigation 1

Step-by-Step Guide to Investigating an IP Address (141.98.9.152)

Below is a structured step-by-step approach to investigating an IP address, the tools to use, and how to interpret the output.

Step 1: Perform a WHOIS Lookup

📌 Purpose: Find out who owns the IP address and which organization manages it.

Tools to Use:

Online WHOIS Lookup:
Command-Line (Linux/macOS/Windows PowerShell):
```
whois 141.98.9.152
```

Output Breakdown:

Field

Explanation

Netname

The name of the IP range (e.g., DIGICLOUD-NET).

Organization

The company that owns the IP (e.g., Alviva Holding Limited, Seychelles).

ASN (Autonomous System Number)

Identifies the network operator (e.g., AS209588, Flyservers S.A.).

Abuse Contact

Email for reporting abuse if the IP is malicious.

Step 2: Check the Reverse and Forward DNS Records

📌 Purpose: Find out if the IP is linked to a hostname (e.g., a website or server).

Tools to Use:

Online Reverse Lookup:

Command-Line:

nslookup 141.98.9.152

dig -x 141.98.9.152

Output Breakdown:

Field

Explanation

Reverse DNS (PTR Record)

If available, it tells what hostname this IP resolves to.

Forward DNS (A Record)

If the IP has a linked domain, it will be shown here.

No Data

Means the IP is likely used for anonymous or cloud-based activities.

Step 3: Check Geolocation of the IP

📌 Purpose: Find the physical location of the IP (though it may not be accurate).

Tools to Use:

Online Geolocation Tools:

Command-Line:

curl https://ipinfo.io/141.98.9.152/json

Output Breakdown:

Field

Explanation

Country

The country the IP is registered to (e.g., Seychelles).

City/Region

More specific location data (e.g., Schiphol-Rijk, Netherlands).

ISP

The Internet Service Provider (e.g., Flyservers S.A.).

🚨 Warning:

Many cloud providers register IPs in one country (Seychelles) but host services in another (Netherlands, USA, etc.).
If the IP is linked to a VPN or proxy service, it may show an incorrect location.

Step 4: Check if the IP is Active and Running Services

📌 Purpose: Find out if the IP has open ports (web servers, email, remote access).

Tools to Use:

Shodan (IP Intelligence & Port Scanner):
- Run a scan:
  shodan host 141.98.9.152
Nmap (Advanced Network Scanner):
```
nmap -Pn 141.98.9.152
```
or to check specific ports:
```
nmap -p 22,80,443 141.98.9.152
```

Output Breakdown:

Field

Explanation

Open Ports

Shows if the IP is running services like a web server (80/443) or SSH (22).

No Open Ports

Means the server is either inactive or blocking scans.

Step 5: Check if the IP Has a Bad Reputation

📌 Purpose: Find out if the IP has been reported for malicious activity (hacking, spam, fraud, botnets, etc.).

Tools to Use:

AbuseIPDB (Reports of malicious activity):
VirusTotal (Check if the IP is linked to malware/phishing):

Output Breakdown:

Field

Explanation

Number of Reports

How many times users have flagged this IP.

Reason for Reports

Spam, phishing, hacking attempts, etc.

Last Reported Date

If it was reported recently, it might still be active in attacks.

Step 6: Check Passive DNS History

📌 Purpose: Find if the IP has ever hosted domains in the past.

Tools to Use:

SecurityTrails (Passive DNS Lookups):
ViewDNS.info (Historical IP records):

Output Breakdown:

Can also refer Web Information Gathering

PreviousInformation Security Officer Guide NextWHOIS

Last updated 2 months ago

Investigation Steps/Breakdown

1. What is an IP Address?

An IP address (like 141.98.9.152) is a unique identifier for a device or server on the internet. It tells us who owns it, where it’s hosted, and what it’s used for.

Think of it like a house address:

The house number = IP Address (141.98.9.152)
The neighborhood = Network (141.98.9.0/24)
The city/government managing it = Autonomous System (AS209588)

2. What’s the Role of an Autonomous System (AS)?

An Autonomous System (AS) is a large group of IP addresses managed by an internet service provider (ISP) or cloud hosting company.

For 141.98.9.152:

It belongs to AS209588 (FLYSERVERS-ASN).
FLYSERVERS-ASN is the company that controls this block of IPs.
The entire 141.98.9.0/24 network is part of this system.

💡 Think of AS as a postal service (like DHL or FedEx):

It routes internet traffic between different networks.
Multiple IPs are grouped under one AS to keep things organized.

3. WHOIS & Ownership: Who Controls This IP?

WHOIS records store ownership information about IP addresses.

For 141.98.9.152, the owner is:

Alviva Holding Limited
Located in Victoria, Mahé, Seychelles
Network Name: DIGICLOUD-NET
Service Type: VDS & Cloud Services

💡 Think of this like a business registry:

DIGICLOUD-NET is the brand offering virtual cloud servers.
Alviva Holding Ltd is the company managing the business.

🚩 Why is this important?

If the IP is doing something suspicious, this tells who to contact.
Some companies register in offshore locations (like Seychelles) for privacy reasons.

4. Reverse DNS & Forward DNS (How We Link IPs to Websites)

Every website or server can have a name (domain) linked to an IP.

Reverse DNS (PTR Record)

Converts an IP → Hostname (e.g., 141.98.9.152 → example.com)
No Data means there is no known hostname for this IP.

Forward DNS (A Record)

Converts a Hostname → IP (e.g., example.com → 141.98.9.152)
No Data means no domain is directly linked to this IP.

💡 Think of DNS as a phonebook:

Reverse DNS = Finding the name of the caller from their number.
Forward DNS = Finding the number of a person by their name.

🚩 Why is this important?

If an IP has a Reverse DNS name, we know what service it’s hosting.
If it has no Reverse DNS, it’s likely a generic cloud server or a hidden service.

5. Why Does This Matter for Security & Investigations?

If an IP is involved in cybercrime, checking WHOIS and ASN helps track who owns it.
If an IP is sending spam, checking Reverse DNS and network info helps block it.
If an IP is hosting a website, checking DNS records helps link it to a domain.
If an IP is part of a cloud provider, it might be used for VPNs, proxies, or malicious bots.

💡 Example Use Cases:

Investigating Phishing Websites: Check if an IP is linked to scam domains.
Blocking Malicious IPs: If an IP has a bad reputation (spamming, hacking), you can block it.
Tracking Hackers: Knowing an IP’s hosting provider helps in legal investigations.

Final Breakdown

Concept

What It Means

IP Address

A unique identifier for a device on the internet (e.g., 141.98.9.152).

AS (Autonomous System)

A big network of IPs controlled by one company (e.g., AS209588 = Flyservers).

WHOIS

A registry showing who owns the IP (e.g., Alviva Holding Ltd, Seychelles).

Reverse DNS

Converts IP → Domain (e.g., 141.98.9.152 → No Data = No hostname).

Forward DNS

Converts Domain → IP (e.g., example.com → 141.98.9.152).

Services & OS

Shows active services (e.g., web servers, email) – but here it shows 0 detected services.

Geolocation

IPs are registered in Seychelles, but might be physically hosted elsewhere (e.g., Netherlands).

IP Address Investigation 1

Step-by-Step Guide to Investigating an IP Address (141.98.9.152)

Below is a structured step-by-step approach to investigating an IP address, the tools to use, and how to interpret the output.

Step 1: Perform a WHOIS Lookup

📌 Purpose: Find out who owns the IP address and which organization manages it.

Tools to Use:

Online WHOIS Lookup:
Command-Line (Linux/macOS/Windows PowerShell):
```
whois 141.98.9.152
```

Output Breakdown:

Field

Explanation

Netname

The name of the IP range (e.g., DIGICLOUD-NET).

Organization

The company that owns the IP (e.g., Alviva Holding Limited, Seychelles).

ASN (Autonomous System Number)

Identifies the network operator (e.g., AS209588, Flyservers S.A.).

Abuse Contact

Email for reporting abuse if the IP is malicious.

Step 2: Check the Reverse and Forward DNS Records

📌 Purpose: Find out if the IP is linked to a hostname (e.g., a website or server).

Tools to Use:

Online Reverse Lookup:

Command-Line:

nslookup 141.98.9.152

dig -x 141.98.9.152

Output Breakdown:

Field

Explanation

Reverse DNS (PTR Record)

If available, it tells what hostname this IP resolves to.

Forward DNS (A Record)

If the IP has a linked domain, it will be shown here.

No Data

Means the IP is likely used for anonymous or cloud-based activities.

Step 3: Check Geolocation of the IP

📌 Purpose: Find the physical location of the IP (though it may not be accurate).

Tools to Use:

Online Geolocation Tools:

Command-Line:

curl https://ipinfo.io/141.98.9.152/json

Output Breakdown:

Field

Explanation

Country

The country the IP is registered to (e.g., Seychelles).

City/Region

More specific location data (e.g., Schiphol-Rijk, Netherlands).

ISP

The Internet Service Provider (e.g., Flyservers S.A.).

🚨 Warning:

Many cloud providers register IPs in one country (Seychelles) but host services in another (Netherlands, USA, etc.).
If the IP is linked to a VPN or proxy service, it may show an incorrect location.

Step 4: Check if the IP is Active and Running Services

📌 Purpose: Find out if the IP has open ports (web servers, email, remote access).

Tools to Use:

Shodan (IP Intelligence & Port Scanner):
- Run a scan:
  shodan host 141.98.9.152
Nmap (Advanced Network Scanner):
```
nmap -Pn 141.98.9.152
```
or to check specific ports:
```
nmap -p 22,80,443 141.98.9.152
```

Output Breakdown:

Field

Explanation

Open Ports

Shows if the IP is running services like a web server (80/443) or SSH (22).

No Open Ports

Means the server is either inactive or blocking scans.

Step 5: Check if the IP Has a Bad Reputation

📌 Purpose: Find out if the IP has been reported for malicious activity (hacking, spam, fraud, botnets, etc.).

Tools to Use:

AbuseIPDB (Reports of malicious activity):
VirusTotal (Check if the IP is linked to malware/phishing):

Output Breakdown:

Field

Explanation

Number of Reports

How many times users have flagged this IP.

Reason for Reports

Spam, phishing, hacking attempts, etc.

Last Reported Date

If it was reported recently, it might still be active in attacks.

Step 6: Check Passive DNS History

📌 Purpose: Find if the IP has ever hosted domains in the past.

Tools to Use:

SecurityTrails (Passive DNS Lookups):
ViewDNS.info (Historical IP records):

Output Breakdown:

Can also refer Web Information Gathering