The Worm Turns... Let's go hunt some bad guys!! (PC Help Network Tracer)

Member Name: tagheur

Product:	PC Help Network Tracer
Date:	17/07/02 (173 review reads)
Rating:

Advantages: Makes me feel better

Disadvantages: Might annoy the wrong person

http://www.pc-help.org/trace.htm

OK - so it's just a URL right? Nope - it's the home of a baddie frightener!

Do you run a broadband connection to the web? If you do you probably also run a firewall to help keep the baddies out, right? Get a lot of baddies trying to get into your system? Yeah, me too. Doesn't it just frustrate the hell out of you wondering who on earth is trying to invade your peaceful little system? It's like the feeling you get when you arrive home and hear the phone ringing as you get out of the car. You rush to the door, fumbling with your keys, only to arrive at the phone just after it stops ringing. These days you can dial 1471 and, sometimes, if you are lucky, it will tell you which number called. More often than not, when I dial 1471, I am informed that, "The caller withheld their number." Bummer!

The above URL is the home of a batch routine (.BAT) that runs under a DOS window on your Windows PC. It will try and find out who attempted to gain access to your machine, - provided your firewall has trapped the IP Address of the computer that made the attempt. It works by going out onto the Internet and hunting the baddie down. At the very least it will give the bugger a shock and at best let you know who it was. Now, one word of warning here; before you get all overzealous and begin a witch hunt for some poor bugger out on the web, just be aware that the attack may not be coming from the address that your firewall thinks it is. There is a class of virus known as a "Trojan", after the Trojan horse. They work by invading a perfectly innocent computer and then using it to attack another computer under remote control from the hacker's computer. A clever hacker will always attack a site from a Trojan because it makes the hacker that much more difficult to trace. Our little software routine isn't about catching anyone - it's about letting them know that y
ou know etc, etc. in the hope that they will go away and annoy someone else. Finally, there is a school of thought that says you NEVER go out after a hacker because simply by doing so you admit the existence of your own site, something that the hacker may only have been assuming up to the point of you replying. While this is probably wise advice in the case of Government and "sensitive" commercial sites, I think that the likes of you and I can venture out there every now and again, on a "just for fun basis"!

So, - whaddyahavetodo? OK, go onto the web and type in the address at the top of this op. It will take you to a page called "PCHelp's Network Tracer". Immediately under the page title is a small sub-title that says "Download TRACE.ZIP". If you click on this it will begin the download of the code to your PC. Choose the "SAVE" button and save the file (called TRACE.ZIP) to a known folder (or create a new one for it). If you know what WinZip is (and have a copy on your PC) then just unzip the contents of TRACE.ZIP into your main Windows folder and you?re all set.

If you have never dealt with a "Zipped" file before then you also need to acquire a free program called WINZIP from www.winzip.com. Make sure that you download the free "evaluation" version - WinZip 8.1. When you click on the download, a panel will appear asking if you want to "Open", "Save" or "Cancel" the download. Choose "Open". The next panel will allow you to choose "Setup" or "Cancel". Choose "Setup". WinZip will then begin to install itself onto your computer. Just accept the defaults from the wizard. At the end of the install it will ask if you want to view an order form - click "No".

You can now "unzip" and install TRACE. Open Windows Explorer (or click on my computer) and open the
folder where you saved TRACE.ZIP. Double-click on TRACE.ZIP and WinZip will automatically start up. You will see that the single TRACE.ZIP file contains about seven or eight files. Click on "Actions" -> "Select All". Click on "Extract" and when WinZip displays the Extract window choose the Windows folder as the target. This will unzip all of the files and place them into the Windows Folder. Click OK and you're all set..

OK, TRACE is now ready to run. You need either an IP address or URL for it to hunt. Your Firewall will have given you an IP address when it detected the baddie, in all probability. An IP Address looks like this -> 101.23.99.88 and it is sometimes called a "Dotted quadrant" because it consists of four numbers separated by "dots" or full stops. Click on START -> RUN on your PC and then type the word TRACE followed by the IP Address or URL. So you might type TRACE 101.23.99.88 or, alternatively, if you have a URL you might type TRACE urlname.

Just to check that it works you can trace something really well known like Google or The BBC. TRACE www.BBC.co.uk

TRACE will now do its stuff -

Trace sends back absolutely loads of stuff about the target. However, here is a fragment from a trace I did on Ted Turner's Cable Network News URL (CNN - www.cnn.com): -

Registrant:
Turner Broadcasting (CNN-DOM)
1 CNN Center
Atlanta, GA 30303

Domain Name: CNN.COM

Administrative Contact:
TBS Legal Department (TL92-ORG) TMGROUP@TURNER.COM
Turner Broadcasting System, Inc.
One CNN Center
Atlanta, GA 30348
US
404-827-3470
Fax- - - - 404-827-1995
Fax- - 404-827-1995
Technical Contact:
TBS Server Operations (TS309-ORG) hostmaster@TBSNAMES.TURNER.COM
Turner Broadcasting System, Inc.
One CNN Center

Atlanta, GA 30348
US
404-827-5000
Fax- 404-827-1593

Good huh? Now, you get shed loads of other stuff back as well, which I won't go into here, however the point remains that this little script is good at tracking down stuff on the web. Finally, here is a fragment from a real baddie attacking my system, you can see that Trace also reports that this particular user has a record of being a nuisance and has an entry on the net abuse report kept by WHOIS -

-- DOMAIN NAME RECORD QUERY RESULTS --

NOTE: whois.abuse.net lists a Net-abuse report address for dsl-230-130.XXXXXXXXX

I have deliberately obscured the last bit of the internet address so that I can't be accused of doing anything defamatory or illegal but we both know who you are, don't we LARRYBOY?

I think that this is a cool little utility provided that you use it sparingly and you yourself don't become an abuser. Remember, there is a very fine line between a vigilante and a criminal.

Have fun!

Summary: