Tuesday, January 25, 2022

Tracing a Malicious User

 >Tracing a Malicious User
>Written by: Paperghost [paperghost@vitalsecurity.net] Vital Security -
>irc.vitalsecurity.net - #vitalsecurity
>If this article scrolls off the edge of the page, go to Edit and select
>Word Wrap.

## Connections make the world go round ##

The computer world, at any rate.  Every single time you open up a website,
send an email or upload your webpages into cyberspace, you are connecting to
another machine in order to get the job done.  This, of course, presents a
major problem, because this simple fact is what allows malicious users to
target your machine on a regular basis; you may not think that they
are...but it's a well known fact that computers are frequently scanned at
random by  Hackers, checking for open ports, security flaws and ways they
can use "exploits" against you (an exploit is a term given to a method
((usually written in computer code)) whereby the Hacker can potentially do
great damage to your machine).  You're probably wondering, how can I avoid
this?  And, more importantly, how can I find out who is doing this to

# How do these people find me?

Well, first of all, they need to get hold of your IP Address.  Your IP
(Internet Protocol) address reveals your point of entry to the Internet and
can be used in many ways to cause your online activities many, many
problems.  It may not reveal you by name, but it may be uniquely
identifiable and it represents your digital ID while you are online, and
with your IP address, a Hacker can find out all sorts of weird and wonderful
things about you (as well as causing all kinds of other trouble, the biggest
two being Portnukes/Trojans and the dreaded DoS ((Denial of Service))
attack).  Some Hackers like to collect IP Addresses like badges, and like to
go back to old targets, messing them around every so often.  Your IP address
is easy to discover, by the way; people who know what they're doing can find
it in chatrooms, on MSN, ICQ (in fact, nearly all instant
messengers)....your IP Address is contained as part of the Header Code on
all emails that you send and webpages that you visit can store all kinds of
information about you.  A common trick is for the Hacker to go into a
Chatroom, paste his supposed website address all over the place, and when
the unsuspecting victim visits, everything about your computer from the
operating system to the screen resolution can be logged.  Think I'm kidding?
  Here's just some of the information gathered from one of my own webpages
on a random visitor, although of course I'm not including their IP address

# Of Pages Visited: 3
Return Frequency: First Time
Browser: Microsoft Internet Explorer 5.5
Language: English (United States)
Browser Size: 823x391  Operating System: Windows NT 5.0
Country: USA
Monitor Resolution: 1024x768
Monitor Color Depth: 16 Million (32-bit)
JavaScript Version: 1.3  Cookies: Enabled
Timezone: GMT -7

Now, this is from a fairly basic webpage setup, so you can imagine what
could potentially be gleaned from a malicious website.  Now we know what
we're dealing with, how do we know who and what is attempting to reach us?

##  Virtual and Physical Ports ##

Everything that you recieve over the Internet comes as a result of other
machines connecting to your computer's ports.  You have two types; Physical
are the holes in the back of your machine, but the important ones are
Virtual.  These allow transfer of data between yuor computer and the outside
world, some with allocated functions, some without, but knowing how these
work is the first step to discovering who is attacking you; you simply MUST
have a basic knowledge of this, or else all your attempts to deduce if a
malicious user is connected to you or not will be doomed to end in

# What the phrases TCP/UDP actually mean

TCP/IP stands for Transmission Control Protocol and Internet Protocol, a
TCP/IP packet is
a block of data which is compressed, then a header is put on it and it is
sent to another
computer (UDP stands for User Datagram Protocol). This is how ALL internet
transfers occur, by sending packets. The header in a packet contains the IP
address of the one who originally sent you it.  Now, your computer comes
with an excellent (and free) tool that allows you to see anything that is
connected (or is attempting to connect) to you, although bear in mind that
it offers no blocking protection; it simply tells you what is going on, and
that tools is NETSTAT.

##  Netstat:  Your first line of defence  ##

Netstat is a very fast and reliable method of seeing exactly who or what is
connected (or connecting) to your computer.  Open up DOS
(Start/Programs/MS-DOS Prompt on most systems), and in the MSDOS Prompt,

netstat -a

(make sure you include the space inbetween the "t" and the "a").

If you're connected to the Internet when you do this, you should see
something like:

Active Connections

Proto      Local Address                Foreign Address                    
TCP        macintosh: 20034             modem-123.tun.dialup.co.uk: 50505  
TCP        macintosh: 80                proxy.webcache.eng.sq: 30101       
TCP        macintosh                    MACINTOSH: 0                       
TCP        macintosh                    MACINTOSH: 0                       
TCP        macintosh                    MACINTOSH: 0                       

Now, "Proto(col)" simply means what kind of data transmission is taking
place (TCP or UDP), "Local address" is your computer (and the number next to
it tells you what port you're connected on), "Foreign Address" is the
machine that is connected to you (and what port they're using), and finally
"State" is simply whether or not a connection is actually established, or
whether the machine in question is waiting for a transmission, or timing out

Now, you need to know all of Netstat's various commands, so type:

netstat ?

You will get something like this:

Displays protocol statistics and current TCP/IP network connections.

NETSTAT [-a] [-e] [-n] [-s] [-p proto] [-r] [interval]

  -a            Displays all connections and listening ports.
  -e            Displays Ethernet statistics. This may be combined with the
  -n            Displays addresses and port numbers in numerical form.
  -p proto      Shows connections for the protocol specified by proto; proto
                may be TCP or UDP.  If used with the -s option to display
                per-protocol statistics, proto may be TCP, UDP, or IP.
  -r            Displays the routing table.
  -s            Displays per-protocol statistics.  By default, statistics
                shown for TCP, UDP and IP; the -p option may be used to
                a subset of the default.
  interval      Redisplays selected statistics, pausing interval seconds
                between each display.  Press CTRL+C to stop redisplaying
                statistics.  If omitted, netstat will print the current
                configuration information once.

Have a play around with the various options, but the most important use of
these methods is when you combine them.  The best command to use is

netstat -an

because this will list all connections in Numerical Form, which makes it an
awful lot easier to trace malicious users....Hostnames can be a little
confusing if you don't know what you're doing (although they're easily
understandable, as we shall see later).
Also, by doing this, you can also find out what your own IP address is,
which is always useful.

##  Types of Port ##

It would be impossible to find out who was attacking you if computers could
just access any old port to perform an important function; how could you
tell a mail transfer from a Trojan Attack?  Well, good news, because your
regular, normal connections are assigned to low, commonly used ports, and in
general, the higher the number used, the more you should be suspicious.  
Here are the three main types of port:

#  Well Known Ports
These run from 0 to 1023, and are bound to the common services that run on
them (for example, mail runs on channel 25 tcp/udp, which is smtp (Simple
Mail Transfer Protocol) so if you find one of these ports open (and you
usually will), its usually simply because its running an essential function.

#  Registered Ports
These run on 1024 to 49151.  Although not specifically bound to a particular
service, these are normally used by networking utilities like FTP software,
Email client and so on, and they do this by opening on a random port within
this range before communicating with the remote server, so don't panic (just
be wary, perhaps) if you see any of these open, because they usually close
automatically when the system that's running on them terminates (for
example, type in a common website name in your browser with netstat open,
and watch as it opens up a port at random to act as a buffer for the remote
servers).  Services like MSN Messenger and ICQ usually run on these Ports.

#  Dynamic/Private Ports
Ranging from 49152 to 65535, these things are rarely used except with
certain programs, and even then not very often.  This is indeed the usual
range of the Trojan, so if you find any of these open, be very suspicious.  
So, just to recap:

Well Known Ports           0 to 1023             Commonly used, little
Registered Ports           1024 to 49151         Not as common, just be
Dynamic/Private Ports      49152 to 65535        Be extremely suspicious.

##  The hunt is on ##

#  Now, it is essential that you know what you're looking for, and the most
common way that someone will attack your machine is with a Trojan.  This is
a program that is sent to you in an email, or attempts to bind itself to one
of your ports etc, and when activated, it can give the user your passwords,
access to your hard drive...they can even make your CD Tray pop open and
shut.  At the end of this Document, you will find a list of the most
commonly used Trojans and the ports they operate on.  For now, let's take
another look at that first example of Netstat....

Active Connections

Proto      Local Address                Foreign Address                    
TCP        macintosh: 20034             modem-123.tun.dialup.co.uk: 50505  
TCP        macintosh: 80                proxy.webcache.eng.sq: 30101       
TCP        macintosh                    MACINTOSH: 0                       
TCP        macintosh                    MACINTOSH: 0                       
TCP        macintosh                    MACINTOSH: 0                       

Now, straight away, this should make more sense to you.  Your computer is
connected on two ports, 80 and 27374.  Port 80 is used for http/www
transmissions (ie for all intents and purposes, its how you connect to the
net, although of course it's a lot more complicated than that).  Port 27374,
however, is distinctly suspicious; first of all, it is in the registered
port range, and although other services (like MSN) use these, let's assume
that you have nothing at all running like instant messengers, webpages
etc....you're simply connected to the net, and your webcache.  So, now this
connection is looking even more troublesome, and when you realise that 27374
is a common port for Netbus (a potentially destructive Trojan), you can see
that something is untoward here.  So, the first thing to do is:

1) run Netstat , and use:

Netstat -a


Netstat -an

So you have both Hostnames AND IP addresses.

2) Then, note exactly what Ports are open, connections etc on paper for
future reference, and also make a screen dump of the connection (simply
press the "Print Screen/SysRq" key to the right of the Return key, then open
a paint program and paste the image into it, remembering to save it, of

Now, just maybe, you can put this information to good use....

##  The Website Trace ##

Let's assume that your Hacker isn't very clever,  and that they came across
you in a chatroom one day and decided to use you as target practice.  What
if, before the attacks started, you saw them in a chatroom going on about
their "fabulous" homepage at www.thehacker.com
Well......go to a website like




and enter the Domain Name in the Search Field.  This'll give you the run
down on exactly who owns the site....if they were silly enough to register
their site with non-fake details (and not many people DO think about using
fake details for website registration for some reason), then you'll get
something back like:

   *Hacker's address goes here*
   *Hacker's town/city goes here*
   *Everything else would go here*

   Domain Name: thehacker.com

   Administrative Contact:
      1028 912  2382 (FAX) 1875228-7235629
   Technical Contact, Zone Contact:
      Technical, Person        SOMESTUFF@HITMEBABYYEAH.NET
   Billing Contact:
      Billing, Person          TELLMEMORE@HOTMAIL.COM
      82637-12376 (FAX) 28361273-3821563

   Record last updated on 10-Aug-2001.
   Record created on 1-Dec-2000.
   Database last updated on 19--Jun--2000 10:43:10 GMT.

   Domain servers in listed order:

   NS1.WORKITSWEET.COM        87.826.4.1

Obviously, this is great; you know who they are, you contact whoever you
feel like contacting, send them your screen dumps/other evidence and that
should be it; be warned though, this won't be the answer to your problems
THAT often, as it assumes a huge lack of intelligence on the attacker's
part, which unfortunately sometimes isn't the case....

##  Tracerouting  ##

Suppose your Hacker was attacking your system with a Trojan, and they're
connected to your machine and you have their IP address.  Or, who knows, you
got their IP address from somewhere else.  The point is, you have it.  
So.....you run a traceroute on them, and you find out their ISP.  So now you
have both the IP and the ISP company, so it shouldn't be too hard to get
onto them and report the malicious user.  What you do is go to a website
go to a website like:


and simply enter their IP address into one of the many search boxes.  You
can also do this from MSDOS using

tracert *type IP address/Hostname here*

Now, what happens is, the Traceroute will show you all the computers
inbetween you and the target machine, including blockages, firewalls etc.  
More often than not, the hostname address listed before the final one will
belong to the Hacker's ISP Company.  It'll either say who the ISP is
somewhere in there, or else you run a second trace on the new IP/hostname
address to see who the ISP Company in question is.  If the Hostname that you
get back doesn't actually seem to mention an actual geographical location
within its text, you may think all is lost.  But fear not!  Suppose you get
a hostname such as


Well, that tells us nothing, right?  Wrong....simply enter the hostname in
your browser, and it will probably be an ISP, and from there you can easily
find out its location and what in areas they work operate, thus at least
giving you a firm geographical location to carry out your investigations in.
If you STILL have nothing, as a last resort you COULD try connecting to your
ISP's port 13 by Telnet, which will tell you how many hours ahead or behind
this ISP is of GMT, thus giving you a geographical trace based on the time
mentioned (although bear in mind, the ISP may be doing something stupid like
not having their clocks set correctly, giving you a misleading trace.  A
common tactic of Hackers is to deliberately have their computer's clock set
to a totally wrong time, so as to throw you off the scent).  Also, unless
you know what you're doing, I wouldn't advise using Telnet (which is outside
the parameters of this article).

##  Reverse DNS Query ##

This is probably the most effective way of running a trace on somebody.  If
ever you're in a chatroom and you see someone saying that they've "hacked
into a satellite orbiting the Earth, and are taking pictures of your house
right now", ignore them because that's just bad movie nonsense. THIS method
is the way to go, with regard to finding out what country (even maybe what
State/City etc) someone resides, although it's actually almost impossible to
find an EXACT geographical location without actually breaking into your
ISP's Head Office and running off with the safe.

DNS stands for Domain Name Server.  These are computers connected to the
Internet whose job it is to keep track of the IP Addresses and Domain Names
of other machines. When called upon, they take the ASCII Domain Name and
convert it to the relevant numeric IP Address.
A DNS search translates a hostname into an IP address....which is why we can
enter "www.Hotmail.com" and get the website to come up, instead of having to
actually remember Hotmail's IP address and enter that instead.  Well,
Reverse DNS, of course, translates the IP Address into a Hostname (ie - in
letters and words instead of numbers, because sometimes the Hacker will
employ various methods to stop Netstat from picking up a correct Hostname).

So, for example,               is NOT a Hostname.
mail6.bol.net.au           IS a Hostname.

Anyway, see the section at the end?  (au) means the target lives in
Australia.  Most (if not all) hostnames end in a specific Country Code, thus
narrowing down your search even further.  If you know your target's Email
Address (ie they foolishly sent you a hate mail, but were silly enough to
use a valid email address) but nothing else, then you can use the Country
codes to deduce where they're from as well.  You can also deduce the IP
address of the sender by looking at the emails header (a "hidden" line of
code which contains information on the sender)...on Hotmail for example, go
to Preferences, and select the "Full Header's Visible" option.  
Alternatively, you can run a "Finger" Trace on the email address, again, at:


Plus, some ISP's include their name in your Email Address with them too (ie
Freeserve), and your Hacker may be using an email account that's been
provided by a Website hosting company, meaning this would probably have the
website host's name in the email address (ie Webspawners).  So, you could
use the information gleaned to maybe even hunt down their website (then you
could run a website check as mentioned previously) or report abuse of that
Website Provider's Email account (and thus, the Website that it goes with)


For all Country Codes, go to either:




If your Hacker happens to reside in the USA, go to:


for a complete list of US State abbreviatons.

For all your Reverse DNS Traces (as well as a lot of other tools including
Finger, Whois etc), go to:


I've mentioned this website quite a few times, simply because it offers more
reliability than other services of this type, although of course you can get
programs which do the same job (such as Genius, Gimme IP, NeoTrace etc).

##  Making a complaint to an Administrator/ISP ##

More often than not, people will simply get an auto-mail back and nothing
more when they report an access violation, simply because they don't know
how to report the attack in the correct manner.  Admins must get deluged
with reports like this all the time, and they simply aren't going to waste
time looking through mounds of data to get what they need.  So, here's how
to do it:

Step 1.  Look at your information for the ISP/Network of your attacker.
Step 2.  Get admin and technical contact email addresses from the ISP's
Website or phone them.
Step 3.  If your collected data didn't offer any help you should email your
log to root@isp
Step 4.  Start your email program.
Step 5.  Copy relevent entries from Firewall log files into the body of the
email message.
Step 6.  Explain briefly what happened to you in the message.
Step 7.  Be sure to sign the message with your real name and a phone number
where the admin can           contact you.
Step 8.  Finally, attatch any *relevant* screen dumps to the email.  As a
rule of thumb, only             send two images maximum, one of the actual
connection on Netstat (a view of the                  attacker's Hostname is
usually better than the IP address, use netstat -an for this.
         You should also make sure the screen dumps have your computer's
time in the bottom right          hand corner, as *close* to the attacker's
first connection time as possible, which makes          things easier for
the Admins to check their Log Files.  This is also useful if your            
   Firewall didn't log the time of the attack for some reason, or (horror of
horrors), you          don't actually have a Firewall.  The other screen
dump should be for any additional
         information you have on the Hacker (remember, keep it relevant), so
if for example, you
         have NeoTrace or some other tool which gives a visual map image of
where the connection          is coming from, send that too, remembering to
make sure the clock isn't obscured.

This should be all that is necessary on your part.

##  List of Ports commonly used by Trojans ##

Please note that this isn't a complete list by any means, but it will give
you an idea of what to look out for in Netstat.  Be aware that some of the
lower Ports may well be running valid services.  Trojan removers can be
aquired from many locations, but one of the best collections on the Internet
can be found at


In addition, you can also find many other useful tools here, such as
Firewalls, Virus Removers and Port Protectors.

1349 Back Ofrice DLL
31337 BackOfrice 1.20
31338 DeepBO
54321 BackOfrice 2000

21 Blade Runner, Doly Trojan, Fore, Invisible FTP, WebEx, WinCrash
23 Tiny Telnet Server
25 Antigen, Email Password Sender, Haebu Coceda, Shtrilitz Stealth,
Terminator, WinPC, WinSpy, Kuang2 0.17A-0.30
31 Hackers Paradise
80 Executor
456 Hackers Paradise
555 Ini-Killer, Phase Zero, Stealth Spy
666 Satanz Backdoor
1001 Silencer, WebEx
1011 Doly Trojan
1170 Psyber Stream Server, Voice
1234 Ultors Trojan
1243 SubSeven 1.0 - 1.8
1245 VooDoo Doll
1492 FTP99CMP
1600 Shivka-Burka
1807 SpySender
1981 Shockrave
1999 BackDoor 1.00-1.03
2001 Trojan Cow
2023 Ripper
2115 Bugs
2140 Deep Throat, The Invasor
2801 Phineas Phucker
3024 WinCrash
3129 Masters Paradise
3150 Deep Throat, The Invasor
3700 Portal of Doom
4092 WinCrash
4567 File Nail 1
4590 ICQTrojan
5000 Bubbel
5000 Sockets de Troie
5001 Sockets de Troie
5321 Firehotcker
5400 Blade Runner 0.80 Alpha
5401 Blade Runner 0.80 Alpha
5402 Blade Runner 0.80 Alpha
5400 Blade Runner
5401 Blade Runner
5402 Blade Runner
5569 Robo-Hack
5742 WinCrash
6670 DeepThroat
6771 DeepThroat
6969 GateCrasher, Priority
7000 Remote Grab
7300 NetMonitor
7301 NetMonitor
7306 NetMonitor
7307 NetMonitor
7308 NetMonitor
7789 ICKiller
8787 BackOfrice 2000
9872 Portal of Doom
9873 Portal of Doom
9874 Portal of Doom
9875 Portal of Doom
9989 iNi-Killer
10067 Portal of Doom
10167 Portal of Doom
10607 Coma 1.0.9
11000 Senna Spy
11223 Progenic trojan
12223 Hack?9 KeyLogger
12345 GabanBus, NetBus
12346 GabanBus, NetBus
12361 Whack-a-mole
12362 Whack-a-mole
16969 Priority
20001 Millennium
20034 NetBus 2.0, Beta-NetBus 2.01
21544 GirlFriend 1.0, Beta-1.35
22222 Prosiak
23456 Evil FTP, Ugly FTP
26274 Delta
30100 NetSphere 1.27a
30101 NetSphere 1.27a
30102 NetSphere 1.27a
31337 Back Orifice
31338 Back Orifice, DeepBO
31339 NetSpy DK
31666 BOWhack
33333 Prosiak
34324 BigGluck, TN
40412 The Spy
40421 Masters Paradise
40422 Masters Paradise
40423 Masters Paradise
40426 Masters Paradise
47262 Delta
50505 Sockets de Troie
50766 Fore
53001 Remote Windows Shutdown
54321 SchoolBus .69-1.11
61466 Telecommando
65000 Devil

##  Summary  ##

I hope this Article is useful in showing you both how to secure yourself
against unwanted connections, and also how to determine your attacker's
identity.  The Internet is by no means as anonymous as some people think it
is, and although this is to the detriment of people's security online, this
also works both ways....it IS possible to find and stop even the most
determined of attackers, you just have to be patient and keep hunting for
clues which will help you put an end to their exploits.

>Article "Tracing Hackers" Copyright (C) 2001 Paperghost All Rights Reserved
>Loyalty and Protection for all our families
>email paperghost@vitalsecurity.net with comments.