1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
|
#!/bin/bash
# whx.sh: "whois" spammer lookup
# Author: Walter Dnes
# Slight revisions (first section) by ABS Guide author.
# Used in ABS Guide with permission.
# Needs version 3.x or greater of Bash to run (because of =~ operator).
# Commented by script author and ABS Guide author.
E_BADARGS=65 # Missing command-line arg.
E_NOHOST=66 # Host not found.
E_TIMEOUT=67 # Host lookup timed out.
E_UNDEF=68 # Some other (undefined) error.
HOSTWAIT=10 # Specify up to 10 seconds for host query reply.
# The actual wait may be a bit longer.
OUTFILE=whois.txt # Output file.
PORT=4321
if [ -z "$1" ] # Check for (required) command-line arg.
then
echo "Usage: $0 domain name or IP address"
exit $E_BADARGS
fi
if [[ "$1" =~ "[a-zA-Z][a-zA-Z]$" ]] # Ends in two alpha chars?
then # It's a domain name && must do host lookup.
IPADDR=$(host -W $HOSTWAIT $1 | awk '{print $4}')
# Doing host lookup to get IP address.
# Extract final field.
else
IPADDR="$1" # Command-line arg was IP address.
fi
echo; echo "IP Address is: "$IPADDR""; echo
if [ -e "$OUTFILE" ]
then
rm -f "$OUTFILE"
echo "Stale output file \"$OUTFILE\" removed."; echo
fi
# Sanity checks.
# (This section needs more work.)
# ===============================
if [ -z "$IPADDR" ]
# No response.
then
echo "Host not found!"
exit $E_NOHOST # Bail out.
fi
if [[ "$IPADDR" =~ "^[;;]" ]]
# ;; connection timed out; no servers could be reached
then
echo "Host lookup timed out!"
exit $E_TIMEOUT # Bail out.
fi
if [[ "$IPADDR" =~ "[(NXDOMAIN)]$" ]]
# Host xxxxxxxxx.xxx not found: 3(NXDOMAIN)
then
echo "Host not found!"
exit $E_NOHOST # Bail out.
fi
if [[ "$IPADDR" =~ "[(SERVFAIL)]$" ]]
# Host xxxxxxxxx.xxx not found: 2(SERVFAIL)
then
echo "Host not found!"
exit $E_NOHOST # Bail out.
fi
# ======================== Main body of script ========================
AFRINICquery() {
# Define the function that queries AFRINIC. Echo a notification to the
#+ screen, and then run the actual query, redirecting output to $OUTFILE.
echo "Searching for $IPADDR in whois.afrinic.net"
whois -h whois.afrinic.net "$IPADDR" > $OUTFILE
# Check for presence of reference to an rwhois.
# Warn about non-functional rwhois.infosat.net server
#+ and attempt rwhois query.
if grep -e "^remarks: .*rwhois\.[^ ]\+" "$OUTFILE"
then
echo " " >> $OUTFILE
echo "***" >> $OUTFILE
echo "***" >> $OUTFILE
echo "Warning: rwhois.infosat.net was not working as of 2005/02/02" >> $OUTFILE
echo " when this script was written." >> $OUTFILE
echo "***" >> $OUTFILE
echo "***" >> $OUTFILE
echo " " >> $OUTFILE
RWHOIS=`grep "^remarks: .*rwhois\.[^ ]\+" "$OUTFILE" | tail -n 1 |\
sed "s/\(^.*\)\(rwhois\..*\)\(:4.*\)/\2/"`
whois -h ${RWHOIS}:${PORT} "$IPADDR" >> $OUTFILE
fi
}
APNICquery() {
echo "Searching for $IPADDR in whois.apnic.net"
whois -h whois.apnic.net "$IPADDR" > $OUTFILE
# Just about every country has its own internet registrar.
# I don't normally bother consulting them, because the regional registry
#+ usually supplies sufficient information.
# There are a few exceptions, where the regional registry simply
#+ refers to the national registry for direct data.
# These are Japan and South Korea in APNIC, and Brasil in LACNIC.
# The following if statement checks $OUTFILE (whois.txt) for the presence
#+ of "KR" (South Korea) or "JP" (Japan) in the country field.
# If either is found, the query is re-run against the appropriate
#+ national registry.
if grep -E "^country:[ ]+KR$" "$OUTFILE"
then
echo "Searching for $IPADDR in whois.krnic.net"
whois -h whois.krnic.net "$IPADDR" >> $OUTFILE
elif grep -E "^country:[ ]+JP$" "$OUTFILE"
then
echo "Searching for $IPADDR in whois.nic.ad.jp"
whois -h whois.nic.ad.jp "$IPADDR"/e >> $OUTFILE
fi
}
ARINquery() {
echo "Searching for $IPADDR in whois.arin.net"
whois -h whois.arin.net "$IPADDR" > $OUTFILE
# Several large internet providers listed by ARIN have their own
#+ internal whois service, referred to as "rwhois".
# A large block of IP addresses is listed with the provider
#+ under the ARIN registry.
# To get the IP addresses of 2nd-level ISPs or other large customers,
#+ one has to refer to the rwhois server on port 4321.
# I originally started with a bunch of "if" statements checking for
#+ the larger providers.
# This approach is unwieldy, and there's always another rwhois server
#+ that I didn't know about.
# A more elegant approach is to check $OUTFILE for a reference
#+ to a whois server, parse that server name out of the comment section,
#+ and re-run the query against the appropriate rwhois server.
# The parsing looks a bit ugly, with a long continued line inside
#+ backticks.
# But it only has to be done once, and will work as new servers are added.
#@ ABS Guide author comment: it isn't all that ugly, and is, in fact,
#@+ an instructive use of Regular Expressions.
if grep -E "^Comment: .*rwhois.[^ ]+" "$OUTFILE"
then
RWHOIS=`grep -e "^Comment:.*rwhois\.[^ ]\+" "$OUTFILE" | tail -n 1 |\
sed "s/^\(.*\)\(rwhois\.[^ ]\+\)\(.*$\)/\2/"`
echo "Searching for $IPADDR in ${RWHOIS}"
whois -h ${RWHOIS}:${PORT} "$IPADDR" >> $OUTFILE
fi
}
LACNICquery() {
echo "Searching for $IPADDR in whois.lacnic.net"
whois -h whois.lacnic.net "$IPADDR" > $OUTFILE
# The following if statement checks $OUTFILE (whois.txt) for the presence of
#+ "BR" (Brasil) in the country field.
# If it is found, the query is re-run against whois.registro.br.
if grep -E "^country:[ ]+BR$" "$OUTFILE"
then
echo "Searching for $IPADDR in whois.registro.br"
whois -h whois.registro.br "$IPADDR" >> $OUTFILE
fi
}
RIPEquery() {
echo "Searching for $IPADDR in whois.ripe.net"
whois -h whois.ripe.net "$IPADDR" > $OUTFILE
}
# Initialize a few variables.
# * slash8 is the most significant octet
# * slash16 consists of the two most significant octets
# * octet2 is the second most significant octet
slash8=`echo $IPADDR | cut -d. -f 1`
if [ -z "$slash8" ] # Yet another sanity check.
then
echo "Undefined error!"
exit $E_UNDEF
fi
slash16=`echo $IPADDR | cut -d. -f 1-2`
# ^ Period specified as 'cut" delimiter.
if [ -z "$slash16" ]
then
echo "Undefined error!"
exit $E_UNDEF
fi
octet2=`echo $slash16 | cut -d. -f 2`
if [ -z "$octet2" ]
then
echo "Undefined error!"
exit $E_UNDEF
fi
# Check for various odds and ends of reserved space.
# There is no point in querying for those addresses.
if [ $slash8 == 0 ]; then
echo $IPADDR is '"This Network"' space\; Not querying
elif [ $slash8 == 10 ]; then
echo $IPADDR is RFC1918 space\; Not querying
elif [ $slash8 == 14 ]; then
echo $IPADDR is '"Public Data Network"' space\; Not querying
elif [ $slash8 == 127 ]; then
echo $IPADDR is loopback space\; Not querying
elif [ $slash16 == 169.254 ]; then
echo $IPADDR is link-local space\; Not querying
elif [ $slash8 == 172 ] && [ $octet2 -ge 16 ] && [ $octet2 -le 31 ];then
echo $IPADDR is RFC1918 space\; Not querying
elif [ $slash16 == 192.168 ]; then
echo $IPADDR is RFC1918 space\; Not querying
elif [ $slash8 -ge 224 ]; then
echo $IPADDR is either Multicast or reserved space\; Not querying
elif [ $slash8 -ge 200 ] && [ $slash8 -le 201 ]; then LACNICquery "$IPADDR"
elif [ $slash8 -ge 202 ] && [ $slash8 -le 203 ]; then APNICquery "$IPADDR"
elif [ $slash8 -ge 210 ] && [ $slash8 -le 211 ]; then APNICquery "$IPADDR"
elif [ $slash8 -ge 218 ] && [ $slash8 -le 223 ]; then APNICquery "$IPADDR"
# If we got this far without making a decision, query ARIN.
# If a reference is found in $OUTFILE to APNIC, AFRINIC, LACNIC, or RIPE,
#+ query the appropriate whois server.
else
ARINquery "$IPADDR"
if grep "whois.afrinic.net" "$OUTFILE"; then
AFRINICquery "$IPADDR"
elif grep -E "^OrgID:[ ]+RIPE$" "$OUTFILE"; then
RIPEquery "$IPADDR"
elif grep -E "^OrgID:[ ]+APNIC$" "$OUTFILE"; then
APNICquery "$IPADDR"
elif grep -E "^OrgID:[ ]+LACNIC$" "$OUTFILE"; then
LACNICquery "$IPADDR"
fi
fi
#@ ---------------------------------------------------------------
# Try also:
# wget http://logi.cc/nw/whois.php3?ACTION=doQuery&DOMAIN=$IPADDR
#@ ---------------------------------------------------------------
# We've now finished the querying.
# Echo a copy of the final result to the screen.
cat $OUTFILE
# Or "less $OUTFILE" . . .
exit 0
#@ ABS Guide author comments:
#@ Nothing fancy here, but still a very useful tool for hunting spammers.
#@ Sure, the script can be cleaned up some, and it's still a bit buggy,
#@+ (exercise for reader), but all the same, it's a nice piece of coding
#@+ by Walter Dnes.
#@ Thank you!
|
