Food for Your Brain

by DJ Tazz

Anonymity is a false sense of security.  It doesn't exist.  Everything is open for the taking.

A what to do if everything seems to be locked tight with no way in?  Smart your way in.  Let's use a made-up nick for an example as we go along.  We will call this person: Joey019

Say you're on IRC and this guy is being a real dick to everyone.  What can you possibly do?  Well, to start with you can run a /WHOIS on him and check what server he is using if it's not spoofed (most of the time it isn't) and start collecting information.  I suggest keeping everything in a binder, or on the computer in a file.

So you run a /WHOIS and get the info.

(/WHOIS Joey019)
Joey019 is ~joey019@r023.pc343.serv-net.ca
Joey019 on @#JoeyWorld #chat
Joey019 using irc.ircserv.com Unofficial EFnet IRC Server
Joey019 End of /WHOIS list.

Right away you've got some information to print or to keep in a document to recall when you need it.

One thing to remember is to log your IRC sessions.  I always do and it comes in very handy when you wouldn't expect it to.

We can see that Joey019 is using serv-net.ca and isn't using any ident protocol software so it gives us his username, which would be joey019.  We can assume that his e-mail address would be something along the lines of: joey019@serv-net.ca

We can also see that if he is using an account which is actually dialed-up locally he's probably in Canada due to the .ca on the end of his IP.  Some ISP's IP addresses have more information; some have the state/province or even the city in there.  For instance, Toronto might have an address that ends something like: tor.on.ca

All useful brain food.  All the channels that Joey019 is in that aren't +s (secret) are shown too.  This can give you a mental idea of the person.  If someone is in #bifemsex it's either a bisexual female or some horny 19-year-old male who doesn't have too many friends.  All this can be documented in a text file or in your head if you can remember a lot of stuff the way I do.

Next, you can try and /FINGER the person.  Finger can either be closed off from the public or it will be wide open for the taking of free information.

(/FINGER joey19@serv-net.ca)
Trying serv-net.ca
Attempting to finger joey019@serv-net.ca
Welcome To Serv-Net's Login Server.Serv-Net.CA
We Can Be Reached By Email Or Phone Ph#: 555-9876
If You Have Any Problems. Email: admin@Serv-Net.CA
                    Toronto's FASTEST ISP!
****************************************************************
Login name: Joey                       In real life: Joey Smith
Directory: /home/users/joey019         Shell: /bin/csh
Last login Thu Mar 27 10:03 on ttypc from frogland.com
New mail received Fri Apr 23 21:58:03 1999;
  unread since Fri Apr 23 18:17:39 1999
No Plan.

Wow.  It's a whole load of information just in a simple legal process.

Now we have a bunch of stuff to document.  We know that Joey019's email address is joey019@serv-net.ca and we know what Joey's last name is (however some servers substitute the real life names with aliases), we know what kind of shell Joey019 prefers, we know that he probably has an account on the server that last logged in, frogland.com, the new mail and unread shows us how often Joey019 uses this account.

All this information can throw you off but you have to remember, everything you learn is food for your brain.  After putting all this stuff together you might actually start making a profile of the person.  Psychologically and physically.  Does this person act tough and condescending on IRC?  Then they probably don't have very good families or don't have too many friends.

Now we move on to something a bit different.

The person just might have a web page up on their account.  So let's just go on what we know and use common sense.  Joey019's web address is probably http://www.sery-net.ca/~joey019 so we use a web browser and bring up his page.  It has a bunch of stuff about cars, music, and then a section about terrorism.  Look around and see what you can learn.

In the terrorism section he talks a lot about how he'd like to see certain people dead.  We are dealing with someone who has a lot of problems.  Here comes the part where you use your brain to make things work.  Check out the source to his web page.  Look at what kind of subdirectories or other servers the hypertext links are actually linked to.  Maybe he has a header GIF that is in http://www.sery-net.ca/~joey019/pics so check it out.  More than likely it will list all the files in the directory, possibly even a picture of the poor bastard.

Note:  To keep people from looking in directories you don't want them to, simply take a second to make an empty index.html file in that directory.  The browser will default to it and make it more difficult to list the files in the directory.

The person could also possibly have a server-side FTP directory.  FTP to the server if it allows it (ftp ftp.serv-net.ca), login as anonymous and check if there are any user directories.  He might have some more files in there to give you some clues as to who this person is.

Now we have some very useful information for the last couple of things we tried.

We can figure that Joey Smith lives in Toronto, Ontario, Canada.  So what, you say?  Well, there's always the phone book.  Chock full of informative goodness.  If you have a phone book for that area then check it.  Or else you can check it out online.  There are so many sites now.

For those of you who can't find one, try www.pc411.com or www.555-1212.com.  For the Canadian kids out there, go check out www.canada411.sympatico.ca - it is a complete listing of all of Canada, and it works wonders.

So from that we might get Joey019's phone number and home address.  Consider that it's possible there is more than one Joey Smith but you can use a process of elimination.

I like to pay attention to people on IRC - sometimes they'll tell people what area of the city they live in.  If you know the city well enough you can usually narrow it down a great deal.  If you post the phone number in the channel without saying anything at all - just the phone number, not the person's name - and watch how they react it'll usually give you some sort of clue.

Let's get to the server-side fun stuff.  If you are trying to find information on someone on the same server as you, it gets even easier.  First off if we can check to see if the person is online using more than likely the who command:

$ who
oleejrz   pts/0        Apr 23 23:09 (psychozest.dk)
znary003  pts/3        Apr 24 00:47 (localterm.serv-net.ca)
wfle462o  pts/4        Apr 23 23:09 (shell.serv-net.ca)
joey019   pts/5        Apr 24 01:03 (r023.pc343.serv-net.ca)

It shows us what time joey019 has been logged on since and next we can check what he's doing with the ps command.  In Solaris we can do:

$ ps -u joey019
  PID TTY          TIME CMD
  312 ?            0:03 eggdrop
 3131 ?            0:14 screen-3
19732 pts/5        0:00 sh
 3133 pts/7        0:00 sh
 3134 pts/7        1:48 irc-2.8

Now we have a list of his processes.

He's running an Eggdrop bot and it would appear that he's on IRC, probably on a separate screen.  He's also running two shells, one for the screen process and one for the other screen he's using.

We can also finger joey019 on the server from the inside by typing finger joey019 which will give you the same old stuff as the other time we did it from the outside.

Some servers allow finger from within but not remotely.

On the server Joey019's home directory might be readable and executable for everyone, so go take a look what he's got in it.  (Some ISPs might make you sign a contract against this so just be careful.)
Return to $2600 Index