Finding IP address is a very simple procedure and some times it is even possible to recover the whole web proxy chain, if HTTP proxies have been used for anonymity.
After detecting the IP from web server logs or data interception dumps almost every investigation «where is this IP from» starts from running a WHOIS lookup. In a best case scenario for the investigator it will show the country, city, and street address as many big Internet service providers store this data in WHOIS database or in a host name, to help support staff to troubleshoot network issues. In a worst case scenario the IP lookup will show contact details of the ISP or organization responsible for IP block allocation. This is the address where the research will be continued to find the IP address owner.
Below you will find the output of a very simple IP lookup script with WHOIS search on detected IP address.
|Your IP Address:||18.104.22.168|
|Your host name:||[NOT CHECKED]|
|Through a WEB Proxy:||[NO PROXY DETECTED]|
|Reverse DNS lookup:||[NOT CHECKED]|
|WHOIS lookup on IP address:||
RESULTS FOUND: 2 ------------- Lookup results for 22.214.171.124 from whois.lacnic.net server: Query rate limit exceeded ------------- Lookup results for 126.96.36.199 from whois.arin.net server: NetRange: 188.8.131.52 - 184.108.40.206 CIDR: 220.127.116.11/12 NetName: AMAZON-2011L NetHandle: NET-54-224-0-0-1 Parent: NET54 (NET-54-0-0-0-0) NetType: Direct Allocation OriginAS: AS16509 Organization: Amazon Technologies Inc. (AT-88-Z) RegDate: 2012-03-01 Updated: 2012-04-02 Ref: https://whois.arin.net/rest/net/NET-54-224-0-0-1 OrgName: Amazon Technologies Inc. OrgId: AT-88-Z Address: 410 Terry Ave N. City: Seattle StateProv: WA PostalCode: 98109 Country: US RegDate: 2011-12-08 Updated: 2017-01-28 Comment: All abuse reports MUST include: Comment: * src IP Comment: * dest IP (your IP) Comment: * dest port Comment: * Accurate date/timestamp and timezone of activity Comment: * Intensity/frequency (short log extracts) Comment: * Your contact details (phone and email) Without these we will be unable to identify the correct owner of the IP address at that point in time. Ref: https://whois.arin.net/rest/org/AT-88-Z OrgAbuseHandle: AEA8-ARIN OrgAbuseName: Amazon EC2 Abuse OrgAbusePhone: +1-206-266-4064 OrgAbuseEmail: firstname.lastname@example.org OrgAbuseRef: https://whois.arin.net/rest/poc/AEA8-ARIN OrgTechHandle: ANO24-ARIN OrgTechName: Amazon EC2 Network Operations OrgTechPhone: +1-206-266-4064 OrgTechEmail: email@example.com OrgTechRef: https://whois.arin.net/rest/poc/ANO24-ARIN OrgNOCHandle: AANO1-ARIN OrgNOCName: Amazon AWS Network Operations OrgNOCPhone: +1-206-266-4064 OrgNOCEmail: firstname.lastname@example.org OrgNOCRef: https://whois.arin.net/rest/poc/AANO1-ARIN
Note. On a high load WHOIS database server may reject queries. If the WHOIS lookup on IP address failed, please try again later.