Page 1 of 3 123 LastLast
Results 1 to 10 of 29

Thread: Catch the thief

  1. #1
    Senior Member Shatter's Avatar
    Join Date
    Jan 2010
    Posts
    192

    Default Catch the thief

    I have a scenario to solve. A slight problem, if you would...

    Suppose you host a linux server with an apache webserver on it. The main website is a small forum where certain people come to discuss things. Now there is this guy that keeps coming back (also registers new accouns after being banned) and spams the forum over and over again. You have the apache the logs, but he is using an anonymizer to hide his real IP address or perhaps he connects to someone else's wireless and does it from there. Let's say you suspect that the person in question is in fact one of your internet "friends" or someone you know.

    Any ideas on how to catch the criminal and proove he was involved?
    I have the card in me head, but you have the memory problems?

  2. #2
    Member
    Join Date
    Feb 2010
    Location
    Root
    Posts
    121

    Default

    If your serious about catching this "friend", then report it to the local authorities, pass the logs to them. Let them do what they do best. But the thing is, I am not sure that "spamming" forums is illegal. Can you define the "spam"?

  3. #3
    Good friend of the forums
    Join Date
    Jun 2008
    Posts
    425

    Default

    Try saying in plain english to the person to leave, they might stay around for a little bit then go.

    Try finding out the mac of there BB router and block that or ISPs. I think just doing a traceroute to find the hop 1 or 2 before the target, then send a syn packet to that hop directly then read the source mac on the repley.

    Sorry forgot about the proxy, install port knocking(knockd) on your server and only tell your group of friends the port combnations.

  4. #4
    Senior Member Shatter's Avatar
    Join Date
    Jan 2010
    Posts
    192

    Default

    By spamming I mean posting useless and hate messages all over the forum. The thing is I'd like to know who is doing it, but I am uncertain whether he lives in the same country as I. I can't portscan or trace past the anonymizer, but my logs contain his browser signature that I can compare against suspects, however, that's not enough to jump to any conclusions since a lot of browsers have the same signature (firefox 3). Is there any other data than a browser signature or the IP address that people leave behind when browsing?

    My idea is to create a simple flash SWF file and post it inside a honeypot thread. When the spammer opens the thread, he will download the swf, assuming his browser supports it and display it. Hopefully I can make the SWF request a specified file from my server and since the SWF runs in his browser, I assume it will bypass the anonymizer and connect directly to my server, logging the real IP in the process.
    I have the card in me head, but you have the memory problems?

  5. #5
    Senior Member Thorn's Avatar
    Join Date
    Jan 2010
    Location
    The Green Dome
    Posts
    1,509

    Default

    If he's using an anonymiser, you can't trace it past that point, and anything you do really going to be pretty useless.

    Employing something like the SWF might work, but I'm not sure how you would limit it to just the bad guy, and not everyone reading the thread. It might also be considered a trojan. Tread carefully there. You don't want to be doing anything that might get you in legal trouble.

    It depends on the software, but most forum software has some controls you can employ in your favor. First, create an additional group of new members who have zero ability to post. Then, make a 'join delay before posting' policy or one to two weeks. Put all new joins in the new group that is governed by this policy. Only elevate them to regular memberships after that time has elapsed. You can do this manually, but most forums have an abiity to do date based privilege elevations.

    Finally, ban the current bad user(s). This will force them to rejoin, and when they do, they will be in the new non-posting group. Most commerical spammers will try to post immediately and give up after, and hate spammers usually don't have the patience to come back after the delay once they been banned a time or two.

    We've done something similar to this on three different forums I have a hand in running, and it works well. Spamming by ****tards dropped from about 30 posts a day to zero on one forum. Another has had only two spams in over a year.

    Another control is to ID the anonymisers being used, and blocking connections to their DNS name and IP. Also, blocking anonymous email drop services and "anyone can join" email services like Hotmail helps a lot.
    Thorn
    Stop the TSA now! Boycott the airlines.

  6. #6
    Senior Member Shatter's Avatar
    Join Date
    Jan 2010
    Posts
    192

    Default

    Eh, I'm not sure if there's anything illegal about posting a flash and have it load a separate file from my server. Lots of SWF's do that on daily basis eg. the photo albums (deviant art). I'm not really bothered by other people browsing the thread. I have the IP of the anonymizer so when the suspect enters the thread, he'll download the flash via the anonymizer. This is how I'll know it's him. Next, the SWF will link up to download an image file from my server straight away. That way there should be two entries in the logs. The request to download the SWF (has the IP of the anonymizer) and the request to download the image file (has the real IP address).

    Yeah, the join delay is a possible solution against spamming, but doesn't say who the suspect is. I'll see if I can implement and/or activate any of the listed features.
    I have the card in me head, but you have the memory problems?

  7. #7
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by xCPPx View Post
    Eh, I'm not sure if there's anything illegal about posting a flash and have it load a separate file from my server. Lots of SWF's do that on daily basis eg. the photo albums (deviant art). I'm not really bothered by other people browsing the thread. I have the IP of the anonymizer so when the suspect enters the thread, he'll download the flash via the anonymizer. This is how I'll know it's him. Next, the SWF will link up to download an image file from my server straight away. That way there should be two entries in the logs. The request to download the SWF (has the IP of the anonymizer) and the request to download the image file (has the real IP address).

    Yeah, the join delay is a possible solution against spamming, but doesn't say who the suspect is. I'll see if I can implement and/or activate any of the listed features.
    ...and exactly what do you think you're gonna do when you actually find out who he is? You're on a pointless mission, you may as well just nuke him from orbit, it's the only way to be sure.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  8. #8
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    Catch the thief
    Where does the "thief" part come in?
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  9. #9
    My life is this forum Barry's Avatar
    Join Date
    Jan 2010
    Posts
    3,817

    Default

    Quote Originally Posted by thorin View Post
    Where does the "thief" part come in?
    The time lost while reading this thread.
    Of course, if you really wanted to have some fun, go to Wal-Mart late at night and ask the greeter if they could help you find trashbags, roll of carpet, rope, quicklime, clorox and a shovel. See if they give you any strange looks. --Streaker69

  10. #10
    Good friend of the forums
    Join Date
    Jun 2008
    Posts
    425

    Default

    Just an idea, but if they had a http proxy on there computer that then send everthing to the anonyimzer, your swf i think would only show the third party, unless it was sent to another port apart from dst 80,445,8080 then it might be classed as a trojan

Page 1 of 3 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •