Tuesday, May 12, 2009

A Brief Anatomy of Malware detection and some notes on using traceroute and determining 'intent'

From the posts below we can begin to understand why signature identification is so important.  We are looking for malware in the packet data itself since any port can be used to send malware and any IP can be spoofed or unwittingly part of a botnet or worm.  The packets below are indicative of the "Win32:SQLSlammer"  worm attack that has been around for a considerable time. The worm propagates itself by generating random IP addresses. Notice that the first SIP (Source IP) address is either spoofed or "router leakage" : e.g. it comes from RFC1918 "private" (non-internet IPs) subnet: 10.255.255.255. Remember that any of these IP addresses can be either (a) spoofed or (b) botnet victims or (c) unpatched SQL servers so that their ultimate location may not neccessarily tells us anything about 'intent' or 'bad actors'. Note the common signature in these 376 byte packets. The "Win32:SQLSlammer" reeked an extraordinary amount of havoc upon the internet with a very small amount of assembly code. The current Snort rules for this worm look like this:

alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"SQL Worm propagation attempt"; flow:to_server; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1 01|"; content:"sock"; content:"send"; metadata:policy balanced-ips drop, policy security-ips drop; reference:bugtraq,5310; reference:bugtraq,5311; reference:cve,2002-0649; reference:nessus,11214; reference:url,vil.nai.com/vil/content/v_99992.htm; classtype:misc-attack; sid:2003; rev:12;)


alert udp $HOME_NET any -> $EXTERNAL_NET 1434 (msg:"SQL Worm propagation attempt OUTBOUND"; flow:to_server; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1|"; content:"sock"; content:"send"; metadata:policy balanced-ips drop, policy security-ips drop; reference:bugtraq,5310; reference:bugtraq,5311; reference:cve,2002-0649; reference:nessus,11214; reference:url,vil.nai.com/vil/content/v_99992.htm; classtype:misc-attack; sid:2004; rev:11;)


The packets I captured are below. Note the common ASCII signature

05/11-14:33:07.744419 0:9:5B:0:F3:DA -> 0:60:97:30:6B:C4 type:0x800 len:0x1A2
10.13.3.61:1092 -> 192.168.0.12:1434 UDP TTL:113 TOS:0x20 ID:61068 IpLen:20 DgmLen:404
Len: 376
0x0000: 00 60 97 30 6B C4 00 09 5B 00 F3 DA 08 00 45 20  .`.0k...[.....E 
0x0010: 01 94 EE 8C 00 00 71 11 8B AE 0A 0D 03 3D C0 A8  ......q......=..
0x0020: 00 0C 04 44 05 9A 01 80 63 09 04 01 01 01 01 01  ...D....c.......
0x0030: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................
0x0040: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................
0x0050: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................
0x0060: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................
0x0070: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................
0x0080: 01 01 01 01 01 01 01 01 01 01 01 DC C9 B0 42 EB  ..............B.
0x0090: 0E 01 01 01 01 01 01 01 70 AE 42 01 70 AE 42 90  ........p.B.p.B.
0x00A0: 90 90 90 90 90 90 90 68 DC C9 B0 42 B8 01 01 01  .......h...B....
0x00B0: 01 31 C9 B1 18 50 E2 FD 35 01 01 01 05 50 89 E5  .1...P..5....P..
0x00C0: 51 68 2E 64 6C 6C 68 65 6C 33 32 68 6B 65 72 6E  
0x00D0: 51 68 6F 75 6E 74 68 69 63 6B 43 68 47 65 74 54  QhounthickChGetT
0x00E0: 66 B9 6C 6C 51 68 33 32 2E 64 68 77 73 32 5F 66  f.llQh32.dhws2_f
0x00F0: B9 65 74 51 68 73 6F 63 6B 66 B9 74 6F 51 68 73  .etQhsockf.toQhs
0x0100: 65 6E 64 BE 18 10 AE 42 8D 45 D4 50 FF 16 50 8D  end....B.E.P..P.
0x0110: 45 E0 50 8D 45 F0 50 FF 16 50 BE 10 10 AE 42 8B  E.P.E.P..P....B.
0x0120: 1E 8B 03 3D 55 8B EC 51 74 05 BE 1C 10 AE 42 FF  ...=U..Qt.....B.
0x0130: 16 FF D0 31 C9 51 51 50 81 F1 03 01 04 9B 81 F1  ...1.QQP........
0x0140: 01 01 01 01 51 8D 45 CC 50 8B 45 C0 50 FF 16 6A  ....Q.E.P.E.P..j
0x0150: 11 6A 02 6A 02 FF D0 50 8D 45 C4 50 8B 45 C0 50  .j.j...P.E.P.E.P
0x0160: FF 16 89 C6 09 DB 81 F3 3C 61 D9 FF 8B 45 B4 8D  ........
0x0170: 0C 40 8D 14 88 C1 E2 04 01 C2 C1 E2 08 29 C2 8D  .@...........)..
0x0180: 04 90 01 D8 89 45 B4 6A 10 8D 45 B0 50 31 C9 51  .....E.j..E.P1.Q
0x0190: 66 81 F1 78 01 51 8D 45 03 50 8B 45 AC 50 FF D6  f..x.Q.E.P.E.P..
0x01A0: EB CA                                            ..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

05/11-14:53:48.630387 0:9:5B:0:F3:DA -> 0:60:97:30:6B:C4 type:0x800 len:0x1A2
202.99.11.99:1231 -> 192.168.0.12:1434 UDP TTL:110 TOS:0x80 ID:26925 IpLen:20 DgmLen:404
Len: 376
0x0000: 00 60 97 30 6B C4 00 09 5B 00 F3 DA 08 00 45 80  .`.0k...[.....E.
0x0010: 01 94 69 2D 00 00 6E 11 4B 31 CA 63 0B 63 C0 A8  ..i-..n.K1.c.c..
0x0020: 00 0C 04 CF 05 9A 01 80 9A 01 04 01 01 01 01 01  ................
0x0030: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................
0x0040: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................
0x0050: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................
0x0060: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................
0x0070: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................
0x0080: 01 01 01 01 01 01 01 01 01 01 01 DC C9 B0 42 EB  ..............B.
0x0090: 0E 01 01 01 01 01 01 01 70 AE 42 01 70 AE 42 90  ........p.B.p.B.
0x00A0: 90 90 90 90 90 90 90 68 DC C9 B0 42 B8 01 01 01  .......h...B....
0x00B0: 01 31 C9 B1 18 50 E2 FD 35 01 01 01 05 50 89 E5  .1...P..5....P..
0x00C0: 51 68 2E 64 6C 6C 68 65 6C 33 32 68 6B 65 72 6E  Qh.dllhel32hkern
0x00D0: 51 68 6F 75 6E 74 68 69 63 6B 43 68 47 65 74 54  QhounthickChGetT
0x00E0: 66 B9 6C 6C 51 68 33 32 2E 64 68 77 73 32 5F 66  f.llQh32.dhws2_f
0x00F0: B9 65 74 51 68 73 6F 63 6B 66 B9 74 6F 51 68 73  .etQhsockf.toQhs
0x0100: 65 6E 64 BE 18 10 AE 42 8D 45 D4 50 FF 16 50 8D  end....B.E.P..P.
0x0110: 45 E0 50 8D 45 F0 50 FF 16 50 BE 10 10 AE 42 8B  E.P.E.P..P....B.
0x0120: 1E 8B 03 3D 55 8B EC 51 74 05 BE 1C 10 AE 42 FF  ...=U..Qt.....B.
0x0130: 16 FF D0 31 C9 51 51 50 81 F1 03 01 04 9B 81 F1  ...1.QQP........
0x0140: 01 01 01 01 51 8D 45 CC 50 8B 45 C0 50 FF 16 6A  ....Q.E.P.E.P..j
0x0150: 11 6A 02 6A 02 FF D0 50 8D 45 C4 50 8B 45 C0 50  .j.j...P.E.P.E.P
0x0160: FF 16 89 C6 09 DB 81 F3 3C 61 D9 FF 8B 45 B4 8D  ........
0x0170: 0C 40 8D 14 88 C1 E2 04 01 C2 C1 E2 08 29 C2 8D  .@...........)..
0x0180: 04 90 01 D8 89 45 B4 6A 10 8D 45 B0 50 31 C9 51  .....E.j..E.P1.Q
0x0190: 66 81 F1 78 01 51 8D 45 03 50 8B 45 AC 50 FF D6  f..x.Q.E.P.E.P..
0x01A0: EB CA  

ñ05/11-19:12:48.180440 0:9:5B:0:F3:DA -> 0:60:97:30:6B:C4 type:0x800 len:0x1A2
58.20.222.30:1297 -> 192.168.0.12:1434 UDP TTL:114 TOS:0x20 ID:9759 IpLen:20 DgmLen:404
Len: 376
0x0000: 00 60 97 30 6B C4 00 09 5B 00 F3 DA 08 00 45 20  .`.0k...[.....E 
0x0010: 01 94 26 1F 00 00 72 11 48 33 3A 14 DE 1E C0 A8  ..&...r.H3:.....
0x0020: 00 0C 05 11 05 9A 01 80 57 53 04 01 01 01 01 01  ........WS......
0x0030: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................
0x0040: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................
0x0050: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................
0x0060: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................
0x0070: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................
0x0080: 01 01 01 01 01 01 01 01 01 01 01 DC C9 B0 42 EB  ..............B.
0x0090: 0E 01 01 01 01 01 01 01 70 AE 42 01 70 AE 42 90  ........p.B.p.B.
0x00A0: 90 90 90 90 90 90 90 68 DC C9 B0 42 B8 01 01 01  .......h...B....
0x00B0: 01 31 C9 B1 18 50 E2 FD 35 01 01 01 05 50 89 E5  .1...P..5....P..
0x00C0: 51 68 2E 64 6C 6C 68 65 6C 33 32 68 6B 65 72 6E  Qh.dllhel32hkern
0x00D0: 51 68 6F 75 6E 74 68 69 63 6B 43 68 47 65 74 54  QhounthickChGetT
0x00E0: 66 B9 6C 6C 51 68 33 32 2E 64 68 77 73 32 5F 66  f.llQh32.dhws2_f
0x00F0: B9 65 74 51 68 73 6F 63 6B 66 B9 74 6F 51 68 73  .etQhsockf.toQhs
0x0100: 65 6E 64 BE 18 10 AE 42 8D 45 D4 50 FF 16 50 8D  end....B.E.P..P.
0x0110: 45 E0 50 8D 45 F0 50 FF 16 50 BE 10 10 AE 42 8B  E.P.E.P..P....B.
0x0120: 1E 8B 03 3D 55 8B EC 51 74 05 BE 1C 10 AE 42 FF  ...=U..Qt.....B.
0x0130: 16 FF D0 31 C9 51 51 50 81 F1 03 01 04 9B 81 F1  ...1.QQP........
0x0140: 01 01 01 01 51 8D 45 CC 50 8B 45 C0 50 FF 16 6A  ....Q.E.P.E.P..j
0x0150: 11 6A 02 6A 02 FF D0 50 8D 45 C4 50 8B 45 C0 50  .j.j...P.E.P.E.P
0x0160: FF 16 89 C6 09 DB 81 F3 3C 61 D9 FF 8B 45 B4 8D  ........
0x0170: 0C 40 8D 14 88 C1 E2 04 01 C2 C1 E2 08 29 C2 8D  .@...........)..
0x0180: 04 90 01 D8 89 45 B4 6A 10 8D 45 B0 50 31 C9 51  .....E.j..E.P1.Q
0x0190: 66 81 F1 78 01 51 8D 45 03 50 8B 45 AC 50 FF D6  f..x.Q.E.P.E.P..
0x01A0: EB CA                                            ..

05/11-20:06:49.515800 0:9:5B:0:F3:DA -> 0:60:97:30:6B:C4 type:0x800 len:0x1A2
69.13.200.210:1269 -> 192.168.0.12:1434 UDP TTL:115 TOS:0x20 ID:42723 IpLen:20 DgmLen:404
Len: 376
0x0000: 00 60 97 30 6B C4 00 09 5B 00 F3 DA 08 00 45 20  .`.0k...[.....E 
0x0010: 01 94 A6 E3 00 00 73 11 D0 C1 45 0D C8 D2 C0 A8  ......s...E.....
0x0020: 00 0C 04 F5 05 9A 01 80 61 C2 04 01 01 01 01 01  ........a.......
0x0030: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................
0x0040: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................
0x0050: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................
0x0060: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................
0x0070: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................
0x0080: 01 01 01 01 01 01 01 01 01 01 01 DC C9 B0 42 EB  ..............B.
0x0090: 0E 01 01 01 01 01 01 01 70 AE 42 01 70 AE 42 90  ........p.B.p.B.
0x00A0: 90 90 90 90 90 90 90 68 DC C9 B0 42 B8 01 01 01  .......h...B....
0x00B0: 01 31 C9 B1 18 50 E2 FD 35 01 01 01 05 50 89 E5  .1...P..5....P..
0x00C0: 51 68 2E 64 6C 6C 68 65 6C 33 32 68 6B 65 72 6E  Qh.dllhel32hkern
0x00D0: 51 68 6F 75 6E 74 68 69 63 6B 43 68 47 65 74 54  QhounthickChGetT
0x00E0: 66 B9 6C 6C 51 68 33 32 2E 64 68 77 73 32 5F 66  f.llQh32.dhws2_f
0x00F0: B9 65 74 51 68 73 6F 63 6B 66 B9 74 6F 51 68 73  .etQhsockf.toQhs
0x0100: 65 6E 64 BE 18 10 AE 42 8D 45 D4 50 FF 16 50 8D  end....B.E.P..P.
0x0110: 45 E0 50 8D 45 F0 50 FF 16 50 BE 10 10 AE 42 8B  E.P.E.P..P....B.
0x0120: 1E 8B 03 3D 55 8B EC 51 74 05 BE 1C 10 AE 42 FF  ...=U..Qt.....B.
0x0130: 16 FF D0 31 C9 51 51 50 81 F1 03 01 04 9B 81 F1  ...1.QQP........
0x0140: 01 01 01 01 51 8D 45 CC 50 8B 45 C0 50 FF 16 6A  ....Q.E.P.E.P..j
0x0150: 11 6A 02 6A 02 FF D0 50 8D 45 C4 50 8B 45 C0 50  .j.j...P.E.P.E.P
0x0160: FF 16 89 C6 09 DB 81 F3 3C 61 D9 FF 8B 45 B4 8D  ........
0x0170: 0C 40 8D 14 88 C1 E2 04 01 C2 C1 E2 08 29 C2 8D  .@...........)..
0x0180: 04 90 01 D8 89 45 B4 6A 10 8D 45 B0 50 31 C9 51  .....E.j..E.P1.Q
0x0190: 66 81 F1 78 01 51 8D 45 03 50 8B 45 AC 50 FF D6  f..x.Q.E.P.E.P..
0x01A0: EB CA                                            ..


Notice that Snort gives us a full length reading of the packet by default. This verbosity helps enable robust signature creation and detection. (More on that later.) Since the Win32:SQLSlammer worm propagates itself by generating "random IP addresses", the trace routes below may simply lead back to more victims who have unpatched machines or who are botnet victims. Interestingly, several routers actually respond to my traceroute for the private IP address 10.13.3.61:
# traceroute 10.13.8.61
traceroute to 10.13.8.61 (10.13.8.61), 64 hops max, 40 byte packets
 1  192.168.0.1 (192.168.0.1)  0.405 ms  0.334 ms  0.286 ms
 2  * * *
 3  68.87.207.113 (68.87.207.113)  11.558 ms  11.113 ms  12.196 ms
 4  te-5-3-ur02.ferndale.wa.seattle.comcast.net (68.86.96.110)  10.639 ms  10.806 ms  15.992 ms
 5  te-0-9-0-7-ar01.seattle.wa.seattle.comcast.net (68.86.96.105)  13.841 ms  15.408 ms  15.311 ms
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *

# traceroute 202.99.11.99
traceroute to 202.99.11.99 (202.99.11.99), 64 hops max, 40 byte packets
 1  192.168.0.1 (192.168.0.1)  0.496 ms  0.344 ms  0.376 ms
 2  * * *
 3  68.87.207.113 (68.87.207.113)  11.941 ms  11.272 ms  15.845 ms
 4  te-5-3-ur02.ferndale.wa.seattle.comcast.net (68.86.96.110)  24.681 ms  10.952 ms  11.595 ms
 5  te-0-9-0-7-ar01.seattle.wa.seattle.comcast.net (68.86.96.105)  14.363 ms  19.869 ms  14.247 ms
 6  pos-0-3-0-0-cr01.seattle.wa.ibone.comcast.net (68.86.90.209)  13.914 ms  14.518 ms  14.792 ms
 7  pos-0-8-0-0-cr01.portland.or.ibone.comcast.net (68.86.85.206)  19.672 ms  18.450 ms  19.496 ms
 8  pos-1-14-0-0-cr01.sacramento.ca.ibone.comcast.net (68.86.85.201)  32.156 ms  35.483 ms  31.574 ms
 9  pos-0-8-0-0-cr01.sanjose.ca.ibone.comcast.net (68.86.85.78)  33.493 ms  33.305 ms  34.754 ms
10  pos-0-0-0-0-pe01.11greatoaks.ca.ibone.comcast.net (68.86.86.50)  37.252 ms  37.343 ms  37.79 ms
11  75.149.229.42 (75.149.229.42)  36.697 ms  40.34 ms  36.615 ms
12  219.158.29.221 (219.158.29.221)  241.962 ms  242.456 ms  242.522 ms
13  219.158.5.133 (219.158.5.133)  242.769 ms  243.188 ms  242.885 ms
14  219.158.4.57 (219.158.4.57)  249.602 ms  249.813 ms  249.892 ms
15  202.96.12.30 (202.96.12.30)  261.865 ms  261.656 ms  261.901 ms
16  61.148.156.9 (61.148.156.9)  267.504 ms  266.695 ms  266.543 ms
17  61.148.156.166 (61.148.156.166)  267.896 ms  267.840 ms  272.820 ms
18  202.96.13.138 (202.96.13.138)  273.190 ms  272.447 ms  272.802 ms
19  211.154.209.162 (211.154.209.162)  234.590 ms  239.304 ms  234.552 ms
20  202.96.6.74 (202.96.6.74)  263.857 ms  265.102 ms  263.489 ms
21  Sh-Rtr-2-S3/0.sta.net.cn (202.96.6.130)  246.632 ms  255.336 ms  245.572 ms
22  * * *

traceroute to 58.20.222.30 (58.20.222.30), 64 hops max, 60 byte packets
 1  192.168.0.1 (192.168.0.1)  0.352 ms  0.337 ms  0.288 ms
 2  * * *
 3  68.87.207.113 (68.87.207.113)  8.935 ms  9.63 ms  9.107 ms
 4  te-5-3-ur02.ferndale.wa.seattle.comcast.net (68.86.96.110)  9.516 ms  9.785 ms  9.715 ms
 5  te-0-9-0-7-ar01.seattle.wa.seattle.comcast.net (68.86.96.105)  12.484 ms  12.145 ms  11.947 ms
 6  pos-0-5-0-0-cr01.seattle.wa.ibone.comcast.net (68.86.90.213)  14.90 ms  14.66 ms  12.611 ms
 7  pos-0-8-0-0-cr01.portland.or.ibone.comcast.net (68.86.85.206)  17.41 ms  16.51 ms  18.15 ms
 8  pos-1-15-0-0-cr01.sacramento.ca.ibone.comcast.net (68.86.85.197)  29.443 ms  30.459 ms  29.458 ms
 9  pos-0-8-0-0-cr01.sanjose.ca.ibone.comcast.net (68.86.85.78)  31.863 ms  31.426 ms  31.794 ms
10  pos-0-0-0-0-pe01.11greatoaks.ca.ibone.comcast.net (68.86.86.54)  35.808 ms  34.497 ms  35.363 ms
11  75.149.229.42 (75.149.229.42)  34.716 ms  64.27 ms  35.371 ms
12  219.158.29.213 (219.158.29.213)  247.202 ms  245.893 ms  247.260 ms
13  219.158.5.109 (219.158.5.109)  234.699 ms  234.229 ms  233.225 ms
14  219.158.9.102 (219.158.9.102)  239.58 ms  240.322 ms  240.992 ms
15  220.248.160.166 (220.248.160.166)  277.291 ms  275.978 ms  274.375 ms
16  58.20.222.30 (58.20.222.30)  245.299 ms  246.499 ms  245.847 ms

# traceroute -P ICMP 69.13.200.210                                     
traceroute to 69.13.200.210 (69.13.200.210), 64 hops max, 60 byte packets
 1  192.168.0.1 (192.168.0.1)  1.198 ms  1.158 ms  1.135 ms
 2  * * *
 3  68.87.207.113 (68.87.207.113)  8.636 ms  11.743 ms  8.967 ms
 4  te-5-3-ur02.ferndale.wa.seattle.comcast.net (68.86.96.110)  9.764 ms  8.822 ms  9.405 ms
 5  te-0-9-0-7-ar01.seattle.wa.seattle.comcast.net (68.86.96.105)  12.576 ms  12.828 ms  11.758 ms
 6  pos-0-5-0-0-cr01.seattle.wa.ibone.comcast.net (68.86.90.213)  13.794 ms  12.422 ms  13.459 ms
 7  pos-0-8-0-0-cr01.portland.or.ibone.comcast.net (68.86.85.206)  17.811 ms  16.782 ms  16.575 ms
 8  pos-1-14-0-0-cr01.sacramento.ca.ibone.comcast.net (68.86.85.201)  33.718 ms  28.898 ms  30.359 ms
 9  pos-0-9-0-0-cr01.sanjose.ca.ibone.comcast.net (68.86.85.181)  32.74 ms  32.334 ms  33.448 ms
10  er1-tengig3-4.sanjoseequinix.savvis.net (208.173.53.137)  35.790 ms  33.16 ms  32.538 ms
11  * cr1-tenge-0-3-5-0.sanfrancisco.savvis.net (204.70.200.198)  35.756 ms *
12  * * *
13  msr1-tengig0-0-0-0.dallas.savvis.net (204.70.196.202)  80.164 ms  81.798 ms  80.857 ms
14  er1-ge-3-0-6.dallas.savvis.net (204.70.202.61)  78.275 ms  75.309 ms  75.975 ms
15  federal-home-loan.Dallas.savvis.net (208.172.135.2)  76.970 ms  77.282 ms  77.882 ms
16  64.182.192.41 (64.182.192.41)  79.384 ms  79.456 ms  79.130 ms
17  210-200-13-69.cust.propagation.net (69.13.200.210)  76.181 ms  78.84 ms  77.538 ms

# geoiplookup 202.99.11.99 -f /usr/local/share/GeoIP/GeoLiteCity.dat
GeoIP City Edition, Rev 1: CN, 22, Beijing, (null), 39.928902, 116.388298, 0, 0
# geoiplookup 58.20.222.30 -f /usr/local/share/GeoIP/GeoLiteCity.dat 
GeoIP City Edition, Rev 1: CN, 11, Changsha, (null), 28.179199, 113.113602, 0, 0
# geoiplookup 69.13.200.210  -f /usr/local/share/GeoIP/GeoLiteCity.dat
GeoIP City Edition, Rev 1: US, TX, Fort Worth, 76112, 32.749199, -97.220497, 623, 817
# traceroute -P ICMP 69.13.200.210                                     



                                          ..

No comments:

Post a Comment