Saturday, February 04, 2006

WHOIS and Simple IP Tracking

In this post I am going to show you how easy it is to discover the IP address of a website and track the owner and/or hosting server of that website. There are other ways to do this that are more complicated and time-consuming, but honestly this easy technique works in the majority of cases. I understand that for some of us this is going to be rudimentary information, but I am of the opinion that for the majority of bloggers, this could be extremely helpful. Later on we'll get into other areas of protection, security and other issues. But today we are going to simply focus on tracking down an IP address and finding the owner.

For this example I'm going to use the site theft that occurred to TSB about two weeks ago. This incident led me to discover Rogerio the hacker, almost at the exact same time that the Corporal did. Turns out that Rogerio was the hacker that nearly destroyed TSB a week earlier. On this morning I got an email telling me that my site was up and running on another site, bangblog.info. I went to the site and sure enough, someone had copied my entire site into theirs. What to do about it?

I needed to find the owner and track his sorry butt down. But how? The internet is a helpful place, both to us and to those out to do evil. The trick here is that we both have the same tools available to us. Remember, the hacker doesn't have a magic wand, they are working in the same world as we are. The important thing is to use those tools against them, just as they are using them against us. One of the most powerful tools at our disposal is built right into the internet, and it's called WHOIS. Every IP address on the Net must be registered. WHOIS is a database of those registrations. In a good way it allows us to see what domain names are available or unavailable and ask to purchase those we might want very badly.

There are many places to conduct a WHOIS search available. I usually go to Network Solutions to conduct mine, the address is:
http://www.networksolutions.com/whois/index.jhtml

Bookmark this site, it is also helpful in many other ways.

Here you can enter the domain name, the NIC Handle or the actual IP address and discover the information that might be available. In our example I knew the domain name, bangblog.info and entered that. This is what I discovered. (You get a long list of data.) The Domain ID: D11788188-LRMS. Registrant ID:C-1796. Those are good, but the best part here was that Rogerio had actually registered the site in his name. We learned that Rogerio lives at Avenue Minas Gerais Apt 201 and his phone number is 55.313.827.0045. And his email address is ranicio@gmail.com. And that took us all of about two minutes from the time we started, EXPOSED. Now, the other thing we want to know is where bangblog.info is stored and hosted. Why? Because we may not get any satisfaction from the hacker, remember they are criminals after all, but the host is another story. In this example we also learned that the host was a company in Texas called Planet.com. I say was because that information is no longer available here. So now what?

Well, emails went out to Rogerio and to the hosting company, which I also copied to Rogerio as well, so he could see what I was doing. The point here was to make them both aware that I meant business and that I would be willing to involve higher authorities if needed. For example, here is the actual email I sent to Rogerio:

"Rogerio Anicio Oliveira,

This letter is to inform you that your registered site, bangblog.info
is currently hosting materials that are protected under international
copyright law and registered in the United States of America and
protected under International Law. Your IP address has been recorded
and all materials MUST be removed within 24 hours or further steps
will be taken to insure the protection of our rights.

Our attorneys have been notified and we will pursue this matter
immediately. This email serves as a warning that we take all matters
of copyright seriously and consider your actions to be in direct
violation of the law.

If our materials are not removed we will contact your host immediately
and request that they terminate your hosting."

Almost immediately I got a very nice, short reply from him that simply said, "Fuck you."
To which I replied:

"We have noted your response and have taken the necessary steps to
inform your hosting service of your violations. Please be aware that
your information has also been transferred to the necessary government
authorities and that additional steps are also underway to ensure the
protection of our rights in this regard.

Have a nice day."

The point here is that the site came down within a half hour. I did contact the hosting company, and while getting any true justice there would have taken attorneys, the good news is that now I see they are no longer hosting the site.

I think that about covers the easy way to track IP addresses. This also works from a visitors standpoint. You should be using a tracking device on your site to count visitors. I use two, one is visible to my visitors and one is invisible. One is a simple counter and one is a much more robust and complex counter. This is new since the rash of attacks we've been subjected to. But I monitor them both and make note of any strange unusual visitors, I keep track of those IP addresses and other information. This technique can also be used to track them as well, should it come to that.

Next time I will talk about the Digital Millennium Copyright Act of 1998 ("DMCA") and how to use it to protect your intellectual property, who to contact in the government that can help you and steps you can take to further protect yourself from identity thieves, hackers and other nefarious bandits.

I hope you find this information helpful. If anyone has a specific problem or question, please post it in comments or if you want, contact me directly at secretbrain1138 at gmail.com

Thanks,

3 Comments:

Blogger Aragorn Had this to say...

Thanks Art !! High quality information, copied and secured ! Exactly what we need I think. Cheers ! - A

5:28 AM  
Blogger Don Had this to say...

Very interesting stuff. My blog is too dull to copy but this is good to know in any case. Thank you for such a clear & simple explanation.

6:24 AM  
Anonymous Anonymous Had this to say...

Thank you for such interesting information regarding blog theft.
Late last year I had a blog with Blogdrive, and found that some scum had been copy/pasting my entries and putting them in his own blog.
I ended up deleting the blog, but now some other "nice" fellow has taken my old blog address and is using it for his own links to porn.
I have installed "site Meter" on my new blog, and hope that in some way I can track any funny business.
I've taken your advice and kept the link to WHOIS...thanks very much.
P.S...I found that this person also copy/pasted heaps of other ppls blogs...his blogger profile name was "Digger123"

9:41 PM  

Post a Comment

<< Home