Perl programmer for hire: download my resume (PDF).
John Bokma MexIT
freelance Perl programmer

Tracking Internet stalkers and reporting them

Saturday, January 7, 2006 | 1 comment

Recently I moved a phpBB message board belonging to a friend, from one site to another. She suspected one or more persons hacking her message board. I had the feeling that the hosting she got for free was of the quality she was paying for and blamed it on bad maintenance, and advised her to move to a different hosting company. Well, in the end it turned out that she was right about one thing, she had two rats trying to stalk her, and making subtle changes to her forum.

She also had an idea where they were coming from. Some time ago she had been a member of a message board and gotten into a fight with the administrator. Could it be that this person just wanted a very childish form of revenge? With the help of someone else? Sabotaging an online community, and stalking the owner?

Yesterday she asked me for advice, and I blocked one stalker (at that time we thought there was only one) out of her phpBB message board with the following entries in the .htaccess file:

RewriteCond %{REMOTE_ADDR} ^W\.X\.Y\.Z$
RewriteRule (.*) http://example.com/ [R=301,L]

Note that I have replaced the actual IP address with W.X.Y.Z, and the actual site the cyberstalker got redirected to, replaced with http://example.com/. (Also note that the dots in the IP address are and should be escaped, since its a regular expression).

Rewrite on IP address: how it works

The rewrite is done using the Apache HTTP server mod_rewrite module, and is actually very simple: if the environment variable REMOTE_ADDR, which contains the IP address of the visitor, matches the pattern given in the regular expression, the visitor is redirected to another website. Of course this is a bit harder if the stalker is going to use several computers with different IP addresses.

Finding fingerprints

I downloaded the web server access log and error log files of her site, and of mine (I am also running a phpBB forum as well, and we share some members) and wrote a small Perl program to do some (re)search actions. Some people might prefer grep or one of its relatives for work like this, but to me, as a Perl programmer, Perl has some advantages, like generating statistics, resolving IP numbers etc.

Very soon I found quite an unique fingerprint (line split in two):

Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.12)
Gecko/20050915 Firefox/1.0.7

It turned out that both stalkers were using an Apple Mac, in combination with Firefox (an old version in this case), for their childish activities. So I changed the rewrite rule in .htaccess into:

RewriteCond %{HTTP_USER_AGENT} ^Mozilla/5\.0\ \(Macintosh;\ U;\ ...
RewriteRule !^some-image\.jpg$ http://example.com/some-image.jpg [R=301,L]

Note that I shortened the first line for readability, and also that some characters in the user agent string have to be escaped, like space, dot, opening (and closing) bracket, etc.

Rewrite on User Agent: how it works

Again a simple rewrite: if the user agent as sent by the browser and available in environment variable HTTP_USER_AGENT, matches the regular expression, the regular expression in the rewrite rule is evaluated and if a match occurs, the visitor is redirected. The regular expression in the rewrite rule checks if the visitor is not already watching some-image.jpg, and only if not, the visitor is redirected to it. Without this check a redirection loop would occur. Also, note how we need to escape a lot of characters in the regular expression of the rewrite condition, notable the spaces. Forgetting to escape the latter results in a 500 server error and the site becoming inaccessible to every visitor. So if you do redirect hack, check, and double check.

Verifying the rewrite on user agent

The next step was to verify that the rewrite actually works. One way is to change the User Agent string in Mozilla Firefox. But I had of an easier solution installed on my computer, the program wget:

wget http://example.com --user-agent="Mozilla/ 5.0 (Macintosh; U;
PPC Mac OS X Mach-O; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0
.7"

--17:01:35-- http://example.com/ => `index.html'
Resolving example.com... ww.xx.yy.zz
Connecting to example.com|ww.xx.yy.zz|:80... connected.
HTTP request sent, awaiting response...
301 Moved Permanently Location: http://example.org/some-image.jpg
[following]

--17:01:35-- http://example.org/some-image.jpg => `some-image.jpg'
Connecting to example.com|ww.xx.yy.zz|:80... connected.
HTTP request sent, awaiting response...
200 OK Length: 86,301 (84K) [image/jpeg]
100%[====================================>] 86,301 53.89K/s
17:01:36 (53.73 KB/s) - `some-image.jpg' saved

Output has been formatted for clarity, and some information has been obfuscated.

What this output shows is that when I tried to connect sending the very specific user agent string along with the request, that the wget program got redirected to some-image.jpg. When I tried to access the site with Mozilla Firefox, running on Windows XP, no redirection took place. So this works.

Checking referers

The next step was to find out how those stalkers got to her and my site. My friend had a good idea, but I wanted to have some proof. So I modified the script to report referers for the IP numbers I had already found so far (three, 2 very likely used by the same person, and a 3rd either a friend / helper)

One referer looked very interesting: an Earthlink mailbox. Someone visited my phpBB message board via this link on the 5th of December, and logged in as my friend. I remembered that in the beginning of December I had mailed some members of my message board: the ones that didn't post or visit often. I checked the program that I used to email, a Perl program I have written, and it was modified on the 5th of December, when I did the last email run.

So I rolled back the local copy of the database of my message board, and checked who got this quite specific message. Only 65 people, and only one Earthlink email address. Of course it's possible that someone redirects email to Earthlink, or the message has been forwarded. But in this case, we both got a very bad feeling, because my friend registered with my board using an Earthlink email address, and she was in the list...

Verifying the mailbox hack

The friend told me that she used exactly the same password for her Earthlink account, as for both message boards. Moreover, she had used this password for many accounts, for quite some time. I asked her to log into her Earthlink account and check. The message had been deleted, she told me that she always deletes all messages after reading. So I asked her to send a message to herself, so we could see the msgid.

... msg.jsp?msgid=5619&folder=INBOX ...
... msg.jsp?msgid=5729&folder=INBOX ...

The msgid numbers were too close to be just a coincidence, so it seems that the cyberstalkers have been reading her email, probably for at least over one month.

How they got my friends password: interception or dictionary attack?

My friend told me that she was a member of a message board, and that she was very sure that the administrator of that board was doing this, probably also using the computer of his girlfriend (or directing her actions). Since my friend uses the same password everywhere, by obtaining the password of her account on that board, they basically got a multipasss (Leeloo, 5th Element).

The phpBB forum software doesn't store the password in the database however, but instead calculates a digest (MD5 to be exactly) of the password, and stores this instead. When a user logs in and a password is given, the digest of the given password is calculated, and the result is compared with the stored result. If they match, the passwords are the same. Theoretically more then one password can give the same digest but this chance is too slim to break the digest by just guessing. Also, using the digest to find back the password should be extremely hard.

So how was the password obtained? I can only guess, but there are two simple ways. The first is that the administrator just recorded passwords as they were send to the forum software before the digest calculation takes place. This doesn't require great programming skills. Just a few lines of PHP should do the trick.

The second approach is using a dictionary attack. Since my friends password is one that can be found in an English dictionary a simple method makes it possible to find the actual password in a relatively short time: for every word in the dictionary, calculate the digest, and compared it with the digest stored in the phpBB users database table. If a match is found, print the word used.

Which method the Internet stalkers used, I don't know. Both are not that hard to do. The first one will always give the password, no matter if it's in a dictionary or not.

What the stalkers did

The actual stalking took place on my friends message board as well as mine. All three IPs we found were used. The stalking consisted of logging in to my board as my friend, and checking her profile, finding out which messages she had been posting. On her board it consisted of logging in as my friend, with administrator rights, and making small, subtle changes to the message board, and sometimes less subtle, like emptying the table that holds the smileys.

The worst thing we have seen so far, however, was actually reading her Earthlink email box, since they clicked on a link stored in a message in my friends Earthlink email inbox.

Reporting abuse

I used tracert on the Windows XP command prompt to obtain the domains the three IP addresses belonged to. As expected, the two that were quite "close" in address space belong to the same company: BT Central Plus, and the third one belongs to Comcast. I just added abuse@ to both domains, and emailed my discoveries to one, with a CC to the other, since the two people took turns in their stalking activities, sometimes just a few seconds apart, and hence their actions should be taken together. I hope their providers terminate both accounts. What they have done is, in my opinion, sufficient enough to take such action.

Confirming that an IP address belongs to someone

One thing I didn't do (yet) is checking if the board administrator my friend suspects is indeed one of the cyberstalkers. One way to check this is to send a private message to the suspect containing an image that is hosted on a site one has access to the access_log. I used this in the past to find out the IP address of someone who was misleading quite some of my friends. I asked one of them to give a link to an image, hosted on one of my sites and thus obtained the IP address.

Passwords, a few simple rules

From the above a few simple rules can be obtained:

Also, I recommend everyone running a message board to create an account for normal use, and don't use the administrator one for day to day posting activities, etc.

Finally, don't underestimate the power of a board administrator. He/she has access to more then most people think, and can obtain even more information without much effort.

Also today

Please post a comment | read 1 comment by Brandy | RSS feed