Michelle's Blog


The life of Michelle Sullivan an amateur photographer, geek, trans-woman, and narcissist (according to some)..

Tracing/Tracking people on the Internet…

Written By: Mhix - May• 16•11

You know it never ceases to amaze me now naive some people are. Some people think that doing some thing as simple as browsing a web page is anonymous, that they can use built-in features of things like Firefox to hide all information about themselves, and how little they know about the technical side of the Internet. That said if you are just using Facebook if you use usual ‘safe’ rules to your interaction like refusing all application invites etc, you will stay fairly anonymous… and if you’re really worried you’d use something like ‘ToR’ to hide where you’re coming from etc..

Of course if you access something where the person you are trying to hide from actually controls, without doing anything illegal you can easily be found, tracked, traced and watched. For example.. I own this blog, the server I administer, I set the logging and access controls… From that alone I can without any special equipment or tracking tools I can locate and watch someone following my blog. I can see when they change IP addresses and in some cases even tell when they are accessing the blog from their partners house/internet connection. With a little more information, like the logs of a secured login, I can even tell when they are using a smart phone, or internet dongle, proxy server, ToR service or boyfriends computer to access it…

Even without this information sometimes it is even possible to track the person down to a hotel, pub, cafe, or even their street (depending on how well the internet service at their location is setup, the better the setup the easier it is.) I have been asked a few times about whether I can teach this information to people, well the simple answer is “yes I can”, but but it takes years to really teach it. (I might add the same tracing can be applied to addresses found in headers of emails – which is how I learnt how to do it, and where I most often get asked to teach the skill.)

So very simply, to give an example..

A single log line from my blog…
114.77.xx.xx – - [15/May/2011:14:37:08 -0400] “GET /voodoolulu/banner-ad-75h.jpg HTTP/1.1″ 200 30354

(xx.xx replaced to aid privacy as I don’t want to expose anyone)

So what can we know .. well immediately we can perform a “whois” lookup.. which returns…

inetnum: 114.76.0.0 – 114.77.255.255
netname: OPTUSINTERNET-AU
descr: OPTUS INTERNET – RETAIL
descr: INTERNET SERVICES
descr: 1 Lyonpark Road, Macquarie Park, NSW – 2113
country: AU
admin-c: OI3-AP
tech-c: OI3-AP
mnt-by: APNIC-HM
mnt-lower: MAINT-AU-OPTUSINTERNET
status: ALLOCATED PORTABLE
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
remarks: This object can only be updated by APNIC hostmasters.
remarks: To update this object, please contact APNIC
remarks: hostmasters and include your organisation’s account
remarks: name in the subject line.
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
changed: hm-changed@apnic.net 20080514
source: APNIC

 

… now first thing… for get the “1 Lyonpark Road, Macquarie Park, NSW – 2113″ this is the address of the range owner and means nothing in this case, so as the more localised information is not available, trace it and we get…

 

traceroute to 114.77.xx.x (114.77.xx.xx), 64 hops max, 52 byte packets
1 * * *
2 212.56.128.1 (212.56.128.1) 10.116 ms 28.361 ms 9.733 ms
3 g200-south02.csr01.melita.com (212.56.129.100) 10.069 ms 13.749 ms 11.962 ms
4 151.5.142.1 (151.5.142.1) 29.503 ms 18.506 ms 26.223 ms
5 pavb-b01-ge2-0.70.wind.it (151.6.125.194) 18.882 ms 24.529 ms 18.001 ms
6 rmas-t02-gepa-b01-po01.wind.it (151.6.5.13) 39.284 ms 36.969 ms 35.689 ms
7 151.6.3.10 (151.6.3.10) 48.129 ms 49.374 ms 33.130 ms
8 so-7-0-3.mil19.ip4.tinet.net (77.67.66.5) 57.627 ms 46.685 ms 44.753 ms
9 xe-4-1-0.sjc12.ip4.tinet.net (89.149.186.205) 235.392 ms
xe-2-0-0.sjc12.ip4.tinet.net (89.149.183.85) 291.282 ms
xe-4-1-0.sjc12.ip4.tinet.net (89.149.186.205) 237.674 ms
10 singtel-gw.ip4.tinet.net (77.67.79.6) 217.624 ms 226.524 ms 220.423 ms
11 203.208.191.74 (203.208.191.74) 373.297 ms 374.333 ms 374.550 ms
12 sbr5-ge4-0.gw.optusnet.com.au (211.29.126.10) 393.471 ms 389.727 ms 386.396 ms
13 mas2-ge10-1-0-901.gw.optusnet.com.au (211.29.125.17) 406.025 ms 406.293 ms 394.495 ms
14 rdl2-ge5-0-0-904.gw.optusnet.com.au (211.29.125.137) 393.149 ms 391.939 ms 396.495 ms
15 fitzg3-ge3-0-1.cm.optusnet.com.au (198.142.192.118) 389.859 ms 402.673 ms 390.419 ms
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *

 

At this point either the host is offline, or more likely the trace is being blocked.. well there is a nice feature of the TCP/IP protocol for traces.. Just change the packet type and using the same trace method and we get…

 

traceroute to 114.77.xx.xx (114.77.xx.xx), 64 hops max, 72 byte packets
1 * * *
2 212.56.128.1 (212.56.128.1) 12.228 ms 9.862 ms 7.976 ms
3 g200-south02.csr01.melita.com (212.56.129.100) 8.878 ms 10.389 ms 9.747 ms
4 151.5.142.1 (151.5.142.1) 17.765 ms 17.769 ms 18.752 ms
5 pavb-b01-ge2-0.70.wind.it (151.6.125.194) 19.743 ms 18.830 ms 17.517 ms
6 rmas-t02-gepa-b01-po01.wind.it (151.6.5.13) 46.316 ms 37.276 ms 36.122 ms
7 151.6.3.162 (151.6.3.162) 37.250 ms 52.920 ms 35.174 ms
8 so-7-0-3.mil19.ip4.tinet.net (77.67.66.5) 50.062 ms 50.338 ms 43.967 ms
9 xe-2-0-0.sjc12.ip4.tinet.net (89.149.183.85) 223.130 ms 221.214 ms 220.005 ms
10 singtel-gw.ip4.tinet.net (77.67.79.6) 217.295 ms 222.547 ms 216.105 ms
11 203.208.191.74 (203.208.191.74) 380.631 ms 373.394 ms 370.138 ms
12 sbr5-ge4-0.gw.optusnet.com.au (211.29.126.10) 388.697 ms 388.686 ms 387.816 ms
13 mas2-ge10-1-0-901.gw.optusnet.com.au (211.29.125.17) 394.667 ms 395.060 ms 393.294 ms
14 rdl2-ge5-0-0-904.gw.optusnet.com.au (211.29.125.137) 392.353 ms 391.459 ms 390.155 ms
15 fitzg3-ge3-0-1.cm.optusnet.com.au (198.142.192.118) 389.976 ms 390.313 ms 387.935 ms
16 c114-77-xx-xx.fitzg3.qld.optusnet.com.au (114.77.xx.xx) 426.482 ms 400.787 ms 401.850 ms
$

So what has this told us… well basically that the host is still online, and the end point is reachable. It’s also a Queensland Australia service, and with a little extra knowledge (take your guess, if you can’t spot it, then you’ll never get it) it is a host via the Fitzgerald routing point.

So based on the fact I live in Malta, my blog is hosted in the USA, suddenly I know what country, region and very close location to where the person browsed from…

Now if you have access (as I do) to an accurate Geo-Location service (eg

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

13 Comments

  1. Das Spiel says:

    You’re such a sad little person.

    You could do so much good with the skills you have yet you continue to bring yourself down to this. Move on, get a life, get over it.

    Good luck tracking me down by the way; I’m behind 7 proxies and use 127.0.0.1 as my gateway! *trollface.jpg*

    Seriously thou, despite the fact I could place myself in any number of countries the simple fact is I don’t care. You knowing my current location doesn’t make a spit of difference to anything (except for the fact you’d probably start by blocking this IP *shakes head sadly*).

    -CA

    • Mhix says:

      So you finally found Australian friends willing to post comments at last.. wondered how long it would take you ;-)

      BTW, I have moved on, Oreste and I have been dating for about a month now, the only reason the escalations are happening is because you won’t leave me alone. Good luck for the future.

      • Das Spiel says:

        Babow!(*), funny how you did exactly what I knew you would.. I even told you it doesn’t make any difference. Care to try again? :-)

        I wasn’t asked to post here, I did so because like the context of your original post I found your rather pointed and childish. The fact that you even responded even thou you blocked my original IP shows that you intended for someone to see the reply, so you’re still going at it.

        Also, bolding the word “you” doesn’t actually make any sense as you don’t know who *I* am. Oh and the sarcasm, once again; not valid to me.

        -CA

        (*) http://www.youtube.com/watch?v=1ytCEuuW2_A

        • Mhix says:

          HMA Pro VPN service working for you then? :P

          • Das Spiel says:

            Wrong again sorry. This is quite amusing thou, watching you make an ass of yourself. Attempt 4, but I doubt you’ll have any more success than the last time.(*)

            Likewise I can only assume you get off on posting other peoples private conversations on the internet hmm? Surely as a self-proclaimed “security professional” you should know that posting “forensic evidence” online is a breech of investigation protocol. But I’m sure your ego is more important to you..

            Perhaps you should reconsider your profession, you take better photos than you secure evidence and your reputation on the internet is far from stellar. Perhaps you could take up hermitage instead?

            -CA

            (*) http://www.youtube.com/watch?v=-aJROW6cuEM

          • Das Spiel says:

            You never reply to my comments any more. I feel so unloved and might cry!

            -CA

          • Mhix says:

            Of course I don’t, you’re not wort the trouble now I know who you are.

  2. Das Spiel says:

    Then pray tell, who am I? :-)

    I’ll believe it when I hear it. If you’re correct you might even get a pat on the head and a smidgen of respect back (For the knowledge you have and the past work you’ve done. Your social standing I’m sorry to say isn’t something that’s going to be climbing golden ladders anytime soon.)

    My country of origin has been easy enough to work out as has my connections, which leaves you with a very very limited subset of people to work through until you find one that matches and has all the relevant knowledge or qualifications. It’s quite an elementary process of elimination and one that .. quite frankly has taken you much longer than I’d originally expected given what I’d read.

    So. *puts on movie accent* Go ahead, make my day.

    -CA

    • Mhix says:

      Your country of Origin is Australia, but your current location is Malta, Tal-ibragg to be precise, using a GO Mobile “Internet Key” (Prepaid USB 3G Dongle).. The proxy servers and the HMA VPN Pro connection was a little more difficult to back track, and the getting a friend to make a post on your behalf was funny, but I guess you don’t know everything about writing as you thought you do. No wonder you can’t get that writing job.. hope you fix that before you get with TEFL and start teaching.

      • Das Spiel says:

        Lol. You’re still way way way off.
        The Go Mobile was an open Malta proxy I threw in for a lol, same as the post from the UK.

        Seems like you still have nothing. While I have a job in absolutely nothing to do with teaching *Blerghhhh*

        -CA

        • Mhix says:

          LOL .. Katie what you don’t realize is the police, GO mobile, your employer and I are all tracking you. You have a criminal case against you, that means we will continue to collect evidence until the case comes to court, and an open proxy in Malta, um… no ;-) Know exactly where you posted from, even have the GPS co-ordinates of the tower you connected to, you really don’t know anything about the telephone network do you. You do know that back in 1991 when the first (analogue) mobile phones came to market, I was repairing them to component level (the Motorola 4500x “brick” phone..) but I guess as you were only 3 years old you wouldn’t remember them.

          Oh stay away from Coconut/Remedy and V-Gen tonight, I’ll be there with my camera, and you will have photos taken and forwarded to Fiona/Mark/Dave if you are stupid enough to turn up.

          Mhix

          PS: When something belongs to someone, you use an apostrophe.. ie “Katie’s friends”… If you use an abbreviation such as “it’s” instead of “it is” you do the same..

          • Das Spiel says:

            Also, just a couple of side notes:

            1) Repairing a 20 year old phone at the component level != being a networking guru. Anyone with the tools and components (and half a brain in their head) can build and program an Arduino to the same level as that 20 year old phone, big dealio you old fogey.

            2) I’m beginning to doubt that your “auto-emailing to fiona” script is actually legit or working.
            a) Firstly, because I realise poor fiona would have an inbox full of useless emails right now (what sort of meanie would do that!) and she’d probably be pretty pissed off about it at this point :-)

            b) because the page being served (proxy.html) is simply a static html page from apache and contains no auto-generated content nor is it called from a script, it’s just a simple redirect. The only “auto emailing” going on is either you trawling through the log

            3) You’d have to know what I look like to recognise me in any photos you took.. and I’d have to catch a plane to get there… probably won’t make it tonight.. next week then? Can we make it a date? I’ll bring some red!

            Much love,
            Your Intelligent Friend – CA

          • Mhix says:

            1/ I know ;-)

            2/ It works, but it’s a little more intelligent than you think.. (b) you’re right the page is a static one after the redirect.

            3/ Just because you and Katie are acting as a tag team in your posts doesn’t make you any more intelligent. What you don’t know is a lot about how browsers work and when she does stuff some of it – even with the proxy settings and the HMA VPN settings it will bypass them all and contact the blog directly.. call it a, umm.. “Bug” ;-) It also doesn’t help that you two have different grasps of English grammar, and hers is quite specific. Myself, well I’m not that good at detecting anything but the most obvious grammar changes, but a friend of mine wrote a lovely little utility which does spot grammar changes in posts and can correlate the differences to identify which were made by which person.. not to mention that the original purpose of it was to identify trolls on USENET against postings in mailing lists to identify the actual perpetrator, which it does very well.

            Mhix

Leave a Reply