Harassment - Cybercrime - Internet Abuse - Tracking Down A Web Host

Tracking Down A Web Host
How To Use Traceroute - A Tutorial by Black Hat

Hi there.

This little traceroute tutorial will help you track down the host of a web site that may contain objectionable material. (please note that by objectionable material, I am referring to material that is unlawful or expressly forbidden in the acceptable use policy of the web host). Please do not confront a web host about the content on a page they are hosting simply because you don't agree with it. The beautiful thing about the Internet is that it allows anyone to publish their thoughts instantly and broadcast them to the world. The information that I provide here is not intended to hinder anyone's right to free speech or artistic expression. It is intended to simplify the traceroute process and make it easier for you to locate the providers of material that may be in violation of the law and/or policies of the hosting company.

Most reputable web hosts outline and forbid very clearly in their acceptable use policies, content that they feel is detrimental to the overall health of the Internet. This content includes (but is not limited to) web sites promoting racism, harassment, attempts to infiltrate the security of another computer system, denial of service attacks, attempts to collect your personal data without your knowledge, fraud, distribution of viruses, SPAM, forgery, illegal distribution of copyrighted materials, etc.

You may find that contacting a web host will not result in a response or a response that is belligerent in nature. In most cases you will find that these hosts, while they are indeed hosts are actually resellers that are leasing a server from a much larger company. They may feel that they can set their own agenda in this manner but this is not true. A reseller must abide by the terms of service of the company from which he is leasing his server. If you cannot get a response to your complaint, the next step is to go upstream to the owner of the block of addresses in which the IP of the web site resides. To be on the safe side, it is best to e-mail both the reseller and the upstream provider at the same time.

Many web sites will try to get past traceroute by masking themselves within a frame. The URL that appears in your address bar may only point to a page that is in actuality hosted by a different company. I will show you how to determine if this is so.

I certainly hope that you are still with me. This isn't difficult at all. In most cases, you can trace and report a web site in 3-5 minutes.

As an example, we are going to use this web site. My own: www.blackhatdesign.com , and we are going to trace it using a wonderful tool that returns a myriad of results on the origins of networks, www.network-tools.com .

This is not the only tool that can accomplish the job but it is very comprehensive and makes for a tutorial that is easy to understand.

Thomas Kernen maintains a wonderful array of sites and tools used in the traceroute process if you think another tool is more to your liking. You may visit his web site at www.traceroute.org .

Now, lets get started. Tutorial instructions are indicated in green text.

First we need the name of a web site and what do you know? We have one. We take the name of the site and plug it into the text box at www.network-tools.com . Please note that you must not add anything in this box but the name of the domain and the level-type to which it is assigned. ( no http:// or www )

Here are the results that we receive:
IP address: 64.239.17.9
Host name: blackhatdesign.com
Alias:
drive.phpwebhosting.com
TraceRoute to 64.239.17.9 [blackhatdesign.com]

These results obviously indicate the IP address of this web site, blackhatdesign.com being the host name.

The alias tells us the server my web site is residing on at my hosting company phpwebhosting.com ( which by the way, is an exceptional host that should give me free stuff for this plug ).

The data directly below this information is the route taken in reaching my web site. This is not really all that helpful to you in achieving our goal, so we will skip to the next block of information that you should look for.
Whois Server Version 1.3
Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.
   Domain Name: BLACKHATDESIGN.COM
   Registrar: GO DADDY SOFTWARE, INC.
   Whois Server: whois.godaddy.com
   Referral URL: http://registrar.godaddy.com
   Name Server: NS2.PHPWEBHOSTING.COM
   Name Server: NS1.PHPWEBHOSTING.COM
This is the Whois information on my web site. It indicates my domain name, the place where I have my domain registered and the place that I host my web site. If we wish to register a complaint about a site that phpwebhosting has on their servers, we can go to their web site and look up their contact addresses. Most if not all web hosts have an address posted specifically for abuse questions and complaints. The address for abuse at phpwebhosting is abuse@phpwebhosting.com just as RackShack is abuse@rackshack.net Easy, huh?

Not so fast.

Let us say for arguments sake that we registered a complaint at phpwebhosting and they did not respond. What would we do next? Well, we look to see if there is another authority with whom we can communicate.

We do this by scrolling down to the bottom of the page under Network IP address lookup. This is what we find there.

Network IP address lookup:
whois whois.arin.net 64.239.17.9:
OrgName:    Dialtone Inc. 
OrgID:      DITN
Address:    4101 SW 47th Ave
Address:    Suite 101
City:       Davie
StateProv:  FL
PostalCode: 33314
Country:    US

NetRange:   64.239.0.0 - 64.239.127.255 
CIDR:       64.239.0.0/17 
NetName:    DIALTONEINTERNET-3
NetHandle:  NET-64-239-0-0-1
Parent:     NET-64-0-0-0-0
NetType:    Direct Allocation
NameServer: NS.DIALTONEINTERNET.NET
NameServer: NS2.DIALTONEINTERNET.NET
If we get no response from phpwebhosting we then e-mail the abuse department at dialtoneinternet. We just keep on going until we find someone that will respond and deal with the complaint accordingly. In this case Dialtone happens to be the end of the line although I happen to know that Interland and Dialtone have recently merged. How do I know that? I went to their web site at www.dialtoneinternet.net . You can also find the company's acceptable use policies on their web site. Be sure to look these policies up to be sure that your complaint falls within the framework and will be given the proper attention.

If you truly want to go to the source and you find that the information that has been returned to you is confusing or misleading then look up the block of addresses to which the IP is assigned. You can do a network look up by taking the IP and inserting it into the text box at www.network-tools.com like this. Check Network Lookup as in the example below.

In the case of my web site, we aren't going to get any further than Dialtone. They are the authority for this block of addresses and e-mailing them as well as phpwebhosting will get results.

That is all there is to it. You can now track down anyone rather quickly. There are exceptions to these rules but for the most part you can resolve disputes easily using this technique. If you come across a site that you absolutely cannot trace properly, feel free to send me the URL and I will do my best to help you.

You can e-mail those requests to traceroute@blackhatdesign.com .

I mentioned earlier that some pages hide within frames. I will explain this on the next page.

Click here to learn how to dissect a framed page.