Magic Banana lamented:

>The third column of "output-2-column-file.txt" cannot be computed from the input alone, as far as I understand.

If it were mine to do as well as you can ... I'd reverse the octet order in the third column, look them both up with nMap or nslookup, and compare to the first column. That would work for some of the IPv4's in column 2, but would not solve the ones that move the left-most octet to the far right, leaving the other three octets in "standard" order. Another script might be written to do that in order to produce a fourth column.

> If so, why is "ns530300.ip-198-27-67.net" mapped to 53.198.27.67? That makes little sense to me (and,
> indeed, 53 is not part of the actual address).

Tricky server owner: He reversed the 53 to 35 and put it at far right just like some of the 10's were handled;
Now we're up to a fifth column to try in our output comparisons.

My short-term strategy is to try Google, then Hurricane Electric's BGP files. The next step in my plan is to grab all the hostnames of the home servers of the malevolent country codes that appear in the output files of the searches emanating from the 35,000-row list (maybe a couple of thousand CIDR blocks), see how many duplicated hostnames appear, and then go after all the CIDR blocks in each of the active ASN's. With the tweaks that we've discussed recently, those nMap scans run remarkably quickly. A dedicated pattern searcher would not limit the analysis to the known malevolents. For example, my 100+ sextortion emails came from every corner of the world. I have a couple written in portuguese. I grew tired of collecting them and block any message with the word for a popular form of virtual currency, which grew out of the ancient practice of biting precious-metal currency that was stopped when newer currency started to be made with reeded edges.

It's too hard to predict what will appear in the results of a Google search on an arbitrary but nonresolving
hostname ... maybe concentrate on some anti-spam services.

Hurricane Electric's BGP application is a little easier: Plug a three-octet abbreviation of the IPv4 address (as oct.oct.oct.0/24) into the Search: box, pick the smaller of the two CIDR blocks that appear in response, ask for the DNS records, put the unknown hostname into the browser's search-this-page function, and see what, if any, IPv4 address lights up. The BGP data is limited to one thousand output lines, so many hostnames disappear from view with the larger CIDR blocks, such as CIDR/21, especially when there are sudirectories,
i.e. "A" records.

> Notice that ns530300.ip-198-27-67.net is not mapped. As I wrote above, I do not think it should.

I peeked at the Google data, which made the "guessing" easier. "ns530300" ==> 53 ==> 35; 300 is impossible.

I tried Magic Banana's suggested scripts, and they work exactly as written. Alas, I haven't managed any better than getting more than just the left-most of my intended reverse=ordered octets to print with this modification:

tr -sc 0-9\\n ' ' < hostname_list | awk '{ k = 0; for (i = 0; k < 4 && ++i i; ) printf $k "."; print $i } else print "" }' | paste hostname_list -

Reply via email to