# Re: [NTISP] how do they do this?

Jeff Woods ( jwoods@delta.com )
Sun, 02 May 1999 20:06:32 -0400

3513713141 is merely the decimal representation of an IP address.

To translate from stealth format to a real IP:

divide by 16777216 (256^3) to get the first number. Above, 209.

Take that number * 16777216 and subtract from the first number.

Above: 3513713141 - (209 * 16777216) = 7274997, now the current
number

Divide the current number by 65536 (256^2) to get the second number.
111.

Take that number * 65536 and subtract from the current number

7274997 - (111 * 65536) = 501, now the current number.

Divide the current number by 256 to get the third number. In this
case, 1.

Take that number * 256 and subtract from the current number for the
final number.

501 - (1 * 256) = 245.

Thus, the number above is 209.111.1.245.

To translate in the other direction, IP to "hidden", write out your whole
IP in binary, and use all 32 bits (i.e. leading zeros in a section if
needed):

209.111.1.245 thus is: 11010001.01101111.00000001.11110101

Just take out the dots, and convert that 32-bit number to binary (or hex,
or octal -- they all work in URLS), and you are in stealth mode.

Of course, it only takes ONE admin who knows what's going on to run a 2
second conversion on the URL, find the real IP, and do WHOIS on the
lamers, to report the site back to the ISP that needs to know who is
violating their TOS or AUP, which is really the only reason folks do
this.

In this case, the folks who need to be told are not bloody likely to do
anything about the spam (you got that URL in spam, right?) in any case:

<smaller>[Query: 209.111.1.245, Server: whois.arin.net]

NETCOM On-Line Communications Services, Inc. (NETBLK-NETCOM-BLK4)

2 North 2nd Street, Plaza A

San Jose, CA 95113

Netname: NETCOM-BLK4

Netblock: 209.108.0.0 - 209.111.255.255

Maintainer: NTCM

Coordinator:

NETCOM On-Line Communication Services, Inc. (NETCOM-HM-ARIN)
hostmaster@NOC.NETCOM.NET

888-698-HELP

Fax- - -408-881-3336

Domain System inverse mapping provided by:

NS1.NOC.NETCOM.NET 204.31.1.1

NS2.NOC.NETCOM.NET 199.183.9.2

ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE

Record last updated on 17-Nov-98.

Database last updated on 30-Apr-99 16:14:20 EDT.

The ARIN Registration Services Host contains ONLY Internet

Network Information: Networks, ASN's, and related POC's.

Please use the whois server at rs.internic.net for DOMAIN related

Information and nic.mil for NIPRNET Information.

[End of Whois message]

</smaller>

At 06:17 PM 5/2/99 -0500, you wrote:

>I recall someone posting on this before but I didn't save it. Could
the

>original poster put their message up again?

>

>I want to know how this type of URL works ( and therefore how you
generate the

>number to be used)

>

>

>It is ingenious for you can't readily tell the IP address of the site to
check

>up on it.

>

>David Payer

>OMNI Internet

>

>