18.7 Searching and Tracking on IRC

Previous page
Table of content
Next page

18.7 Searching and Tracking on IRC

There are two general reasons for wanting to track an individual on IRC: (1) investigators become aware of the person through IRC and want to learn more about him/her and (2) investigators learn about the person and suspect that he/she uses IRC. Before tracking anyone on IRC, it is necessary to configure some form of logging to document the search. For instance, in mIRC logging can be configuration as shown in Figure 18.5.

click to expand
Figure 18.5: Logging configuration, accessed via the File - Options menu item.

Including the date in the file name is a good practice from an evidence gathering standpoint and the "Timestamp logs" feature records the date and time of all lines in a log file, making it easier to keep track of when events recorded in the logs occurred.

When a broad search of a particular IRC subnet is required, the who command is most useful. The who command can search for any word that might occur in a person's hostname or nickname, or can be used to search for people in a particular region. For instance, Figure 18.6 shows the who command being used to find all Verizon users from Baltimore (*east.balt. verizon.net).

click to expand
Figure 18.6: Results of the who command on IRC.

Similarly, it is possible to search for individuals in a specific country using commands "/who *.se" or "/who *.ie" for all individuals in Sweden and Ireland, respectively. As another example, the command "/who *raven*," finds all users with the word "raven" in their nickname or hostname.

When a particular individual of interest has been found on IRC, the whois command can provide additional details. The whois command on IRC is not the same as the Whois databases mentioned earlier. The whois command uses a person's IRC nickname to get information like the person's IP address and, if he/she provides it, e-mail address. Figure 18.7 shows information obtained about an IRC user named "TheRaven" using whois, listing channels TheRaven is in (#nevermore, #do_not_cross) and, more importantly, the computer he/she is connecting from (pool-151-196-237-235.balt.east.verizon.net). The IP address associated with this host name was obtained using the command "/dns TheRaven."

click to expand
Figure 18.7: Results of the whois and dns commands on IRC.

Additional information about these and other IRC commands are detailed at the The IRC Command Cosmos.[21] Note that it is not advisable to use the finger command on IRC to gather information about an individual because it notifies the other party whereas the who and dns commands do not.

If a particular IRC channel is of interest, it can be fruitful to use an automated program that continuously monitors activity in that channel. A utility called DataGrab[22] facilitates monitoring activities on IRC and gathering whois and DNS information. Figure 18.8 shows DataGrab being used to gather DNS information about all participants in a channel called "#0!!!!!!!!!!!!preteen666," saving the date-time stamped results into text file. The "KeyWord Logging" feature can be configured to record information whenever a particular word occurs in the chat room that is being monitored.

click to expand
Figure 18.8: DataGrab.

Chat Monitor[23] is another useful tool for automatically monitoring specific IRC channels and looking for anyone connecting from particular countries. Figure 18.9 shows Chat Monitor logging individuals who are participating in the IRC channel called "#0!!!!!!!!!!!!preteen666."

click to expand
Figure 18.9: Chat Monitor.

Chat Monitor can also be configured with a list of nicknames that are of interest using its "Buddy Monitor" feature. Additionally, Chat Monitor can be used to analyze IRC logs for a particular user's activities.

CASE EXAMPLE

start example

During a routine security audit, a Windows 98 host was found running BO2K. When the owner of the computer was informed that the intruder could monitor all of her activites, she was shocked and noted that this could explain how her credit card had been stolen and used to subscribe to pornographic Web sites.

A preliminary digital evidence examination uncovered an ".exe" entry in Registry in the RunServices key. Additionally, an unknown service named "ae.exe" was running. The executable was located in "C:\Windows\System\ae" along with IRC chat and DCC logs, indicating that it was an IRC bot. One file named "finger.txt," included the following details about the bot that would be provided to anyone who fingered the host.

[default]

:::::::::::::::::::::::::::::general:info:::::::::::::::::::::::::::::::::::::::::::::::::::::::

::: hi! my ip is 135.223.23.5 and right now i'm on irc.concentric.net as nautilus

::: i have 0 chats. i have 0 queries.

::: i have 0 sends. i'm on 7 channels.

::: use /finger help@135.223.23.5 for more information type shit.

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

[help]

A log file revealed the following activities of one of the intruders, nicknamed "epitaph:"

  • Sep 12 07:25:09: epitaph logged into the compromised machine from 1Cust226.tnt1.sierra-vista.az.da.uu.net with the username root and password puritycontrol

  • Sep 13 11:13:33: epitaph connected from 1Cust226.tntl.sierra-vista.az.da.uu.net, replaced some files (e.g. autoexe.bat) and deleted files in the McAfee folder to disable the antivirus software, preventing it from detecting the Trojan program

Another log file showed what appeared to be the same intruder connecting to the IRC bot using the nickname "aeon." The intruder's cohorts who connected to the IRC bot called her Julz or Julie and one log entry in the IRC bot contained the e-mail "jgraham@usr07.primenet.com." The intruder called the IRC bot as "julian v1.5" and described it as "a small project made in boredom." Using an undercover account, investigators connected to the IRC server that the bot was connected to (irc.concentric.net) and started observing the intruder and her cohorts. Additionally, the investigators searched the Internet for rough edges in the log files like "ae.exe," "epitaph," "aeon," "jgraham@usr07.primenet.com," and "julian v1.5." They also performed a geographically focused search in the Sierra Vista region of Arizona. Their search uncovered a Web page "http://www.primenet.com/~jgraham/" that contained a link to a Web page associated with "aeon." Using finger on the Sam Spade page to query the Primenet server about the jgraham account returned the following:

09/15/02 16:55:26:

finger jgraham@usr07.primenet.com (206.165.6.207)

Login: jgraham Name: John Graham

Directory: /user/j/jgraham Shell: /bin/bash

Mailbox last read: Sept 15 12:31:24 2002

Currently logged in via na02.fhu-130 IPnet: 208-50-51-49.nas2.fhu.primenet.com

The last line indicated that someone was logged into the Primenet server using this account from "208-50-51-49.nas2.fhu.primenet.com." Using finger on Sam Spade to query the host directly returned the following:

09/15/02 17:17:04:

finger @208-50-51-49.nas2.fhu.primenet.com (208.50.51.49)

if your name is Joshua gabbard, you're a dungpunching faggot.

also: www.subweb.net

www.subweb.net/index.htm

subweb I: the eye of the nephilim

Notably, the nickname "nephilim" occurred in IRC logs on the compromised host. Whois "www.subweb.net" did not reveal anything useful.

Repeating these steps again the following day, Whois "www.subweb.net" had been updated and contained the intruder's name, home address and telephone number and finger revealed the following:

09/16/02 23:00:26:

finger @208-50-51 -162.nas2.fhu.primenet.com

(208.50.51.162)

:::::::::::::::::::::::::::::::::julian:info::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

what is "julian"? a small project done in countless hours of boredom. "julian"

itself is an acronym for, jag's universal liberally inclined artifical nerd. originally, julian had moods and "intelligent" reactions as per those moods. however, due to a conflict of productive interest, julian was completely rebuilt, less the moods. a better interface was designed and more controls were implemented. the moods may be back in the summer of 2002, provided julian's author is still unemployed.

use /finger help@208.50.51.162 for more information type shit.

...

::: current channels for julian1 on irc.east.gblx.net:6667 as of 19:59:46

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

::: 1) #terrorism + tn (no topic set) 2 ops, 2 nonops, 4 total.

::: 2) #julian +tn (no topic set) 1 ops, 0 nonops, 1 total.

Although these IRC channels were not plainly visible on IRC, searching for the known nicknames of the intruder and her cohorts (e.g. "/whois epitaph," "/whois aeon") revealed that they were connected to these channels from several compromised hosts. All of the information gathered indicated that the intruder was a high school student in the Sierra Vista region of Arizona. Because she was a minor and the cost of the damages was lower than the legal threshold, the intruder was not arrested but received a warning.

end example

[21]http://www.irchelp.org/irchelp/misc/ccosmos.html

[22]http://members.aol.com/datagrabl

[23]http://www.surfcontrol.com



Previous page
Table of content
Next page
Digital Evidence and Computer Crime
Digital Evidence and Computer Crime, Second Edition
ISBN: 0121631044
EAN: 2147483647
Year: 2003
Pages: 279
Authors: Eoghan Casey BS MA
BUY ON AMAZON
Secure Programming Cookbook for C and C++: Recipes for Cryptography, Authentication, Input Validation & More
Building Web Applications with UML (2nd Edition)
Developing Tablet PC Applications (Charles River Media Programming)
Data Structures and Algorithms in Java
Sap Bw: a Step By Step Guide for Bw 2.0
Understanding Digital Signal Processing (2nd Edition)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy