Total Stealth IP - The Answer

Originally posted by jesterbr549

[...]
However, I have experienced more than my share of strange occurances on my Web Site and I am convinced that this technology is out there and being used.
[...]
Now, maybe it is just that someone has hacked into my site, which is possible, but I have also experienced irregular activity, to say the least, in several other web sites which leads me to this conclusion.

I'd agree with [some of the] previous posters, and say that I don't see how stealth IP is possible.

You can make your IP address a little harder for you [human] to read, but that's no less trivial for a machine to read. Likewise as posted above you can use proxies and stuff, but then that IP is logged, and the trail is still there.

I wonder if you are seeing the result of UDP packets, they still ride the IP layer but don't communicate as comprehensively as TCP packets do.

(RFC768 & www-net.cs.umass.edu...)

Did you get any log files that could help other to see these "strange occurances" ?


(dbates: I guess asking about the log files is still within the site's TC, but some of the analysis might best be thought about first, before posting ?)

Proxy chaining programs like sockschain can be obtained which will allow you to input a list of proxies and you will then send packets through all these computers. This will slow down your connection quite a lot so you will need to have good resources. Connecting through several computers will take longer to trace, quite a few more phone calls. Some authorities might just give up but you are taking a chance.

Finding a machine that deletes its logs would be better, but hard. You could hope for the best that one of the ten or so machines you connect to deletes its logs or you could connect to known machines like your university or whatever and then delete the logs when you go in, if you can somehow do this.

Originally posted by jw287Finding a machine that deletes its logs would be better, but hard. You could hope for the best that one of the ten or so machines you connect to deletes its logs or you could connect to known machines like your university or whatever and then delete the logs when you go in, if you can somehow do this.

Yeah, this is what I was thinking - but what do you mean about University Machines?

Reason I ask is cause I don't have my own computer and use a University or Public Library computer when I post or work on my own Site.

You obviously can't talk to anyone or anything by stealth.
Think of the computer as a person for a minute. Can you call a person and ask him to send you information without him knowing that you spoke to him?
You can listen by stealth though. A wire-tap at either point of a connection would let you see everything that was sent without sending any information to them. Instead of asking the person a question, what you are doing is hiding nearby and waiting for somebody he trusts to ask him.

In the pizza guy analogy, what you are doing is waiting outside the pizza place and jumping the delivery guy on the way to his car. All you have to do is make sure they don't see you laying in wait.

All I can think of for total stealth is to find a way of erasing the information after the fact. I'm not sure if that's possible. I'm always hearing that there is a lot of stuff on a computer that doesn't go away, not matter how completely you delete it- short of setting your computer on fire.

Originally posted by 0951I wonder if you are seeing the result of UDP packets, they still ride the IP layer but don't communicate as comprehensively as TCP packets do. Did you get any log files that could help other to see these "strange occurances" ?
(dbates: I guess asking about the log files is still within the site's TC, but some of the analysis might best be thought about first, before posting ?)

It is not what I am seeing that has me wondering, it is what I am not seeing that has made me curious...

Well my mate could set up game servers on his campus but that connected to a master server to give a list of games. I was thinking you could set up a proxy like winsock then delete the logs as you wish but I doubt it would be accessible outside the campus because it doesn't connect to a master server. Don't really know about these things though.

[edit on 1-11-2004 by jw287]

Originally posted by covert_ops
i know you can spoof your ip address

True, however this is mainly useful for portscans and other trollish activity. You might be able to use this technique to issue commands to a trojan installed on a compromised server, however, since that server sends return traffic to the spoofed IP, the traffic is single-sided.

-P

Originally posted by jesterbr549
It is not what I am seeing that has me wondering, it is what I am not seeing that has made me curious...

Ok, being an overly curious bystander, I'm compelled to ask - what are you not seeing, or more accurately I guess, what are you expecting to see, that you are not ... ?

Originally posted by jesterbr549
Here's a topic that, I feel, needs some more professional research.

I am wondering whether or not it is possible that the technology exists to totally cloak one's IP so that you could surf the net without leaving a trace.

Now, I am not talking about an alias IP where your real IP gets switched around.

Nor am I talking about a lack of an IP address showing on the Web Stats.

I am talking Total Stealth IP in which there is absolutely no trace left of your passing.

I joined a forum of computer experts simply to ask them this question and this is the reply I got:

"No, not possible. If you have reasonable tracking software or even just have your apache logs properly configured there is always some 'trace' - even if it's only the 200 /page.html with no images, referer or anything there will always be a record of the get/post request."

I also got a second opinion from another professional who, basically, said the same thing.

However, I have experienced more than my share of strange occurances on my Web Site and I am convinced that this technology is out there and being used.

"If there is nothing that fits all the facts than, whatever theory that does fit all the facts, regardlesss of how impossible it may be believe , must be the truth."

Now, maybe it is just that someone has hacked into my site, which is possible, but I have also experienced irregular activity, to say the least, in several other web sites which leads me to this conclusion.

So, is Total Stealth IP's possible or not...

Originally posted by jesterbr549
Here's a topic that, I feel, needs some more professional research.

I am wondering whether or not it is possible that the technology exists to totally cloak one's IP so that you could surf the net without leaving a trace.

Now, I am not talking about an alias IP where your real IP gets switched around.

Nor am I talking about a lack of an IP address showing on the Web Stats.

I am talking Total Stealth IP in which there is absolutely no trace left of your passing.

I joined a forum of computer experts simply to ask them this question and this is the reply I got:

"No, not possible. If you have reasonable tracking software or even just have your apache logs properly configured there is always some 'trace' - even if it's only the 200 /page.html with no images, referer or anything there will always be a record of the get/post request."

I also got a second opinion from another professional who, basically, said the same thing.

However, I have experienced more than my share of strange occurances on my Web Site and I am convinced that this technology is out there and being used.

"If there is nothing that fits all the facts than, whatever theory that does fit all the facts, regardlesss of how impossible it may be believe , must be the truth."

Now, maybe it is just that someone has hacked into my site, which is possible, but I have also experienced irregular activity, to say the least, in several other web sites which leads me to this conclusion.

So, is Total Stealth IP's possible or not...

Ok, I have real life exp on this. Internet is my biz for like 7 years now full time, and on this subject I say.

Is Total Stealth IP's possible or not = It's not.

Anybody who have ENOUGH time and MONEY can trace anybody.

You have to take this issue from other side.

What do you wana to do?

For example, if you are at your work, and you dont wana be fired cause you have visited some sites on web, ofcourse it can be aranged that you can't bee seen what you was doin (looking).

They will need ALOT of skill and people to track you down, but also possibly to do.

If you wana do something really really ilegal (like terorist or whatever), would be possibly to do, but later on, hard to erase all the tracks.

They will hunt you down sooner or later.

With almost unlimited budget of USA gov. they can do some really really scary stuf.

But.....

there is a solution even for that.

There is MANY wireless hot spots now in many cities, you can actually connect to this spots via your laptop, like siting in the car, and even with having IP adress, there is no point later on to know it when nobody can't connect it to you.

If I am you, I would do hit and run tactic

Regarding your issue.

If somebody is really doin that on purpose, (and if he is really a expert or something) he will not do in that way.

He will try to mimic somebody alse.

For example, if you wana to look what is goin on in shop, the best way to do that is to be another "shoper" get it?

So, if you have some strange logs or whatever, send me privat msg, and show me what you got, and I could maybe give you some advice on that after I see what you have there.

I hope it helps.

I.



[edit on 1-11-2004 by ivan]

Originally posted by 0951Ok, being an overly curious bystander, I'm compelled to ask - what are you not seeing, or more accurately I guess, what are you expecting to see, that you are not ... ?

I am expecting to see specific traffic of 'websites' that I know are visiting my site - but there is no indication that they are visiting my site on the IP Tracker that I use. When I see reference to my Editorials, on a daily basis, on these other sites, than this is all the proof I need, regardless of what some people think of the impossibility of it. I will call this the Grasshopper effect ("when you can walk across this rice paper without leaving any trace it is time for you to be on your way grasshopper")

The possibilities :

1)Total Stealth IP
2)Master Key
3)One person is visiting my site and sending the info to many of the above mentioned entities.

If 1) is impossible than that only leaves 2) for I have also seen very strange things on several other sites that I have used etc, which precludes point number 3) above and, thus, actually makes the most sense.

Thus, if this latter (2) is the case than this thread has run its course and I would need to continue this under the Master Y2Key thread.

Back in my hacker days, I recall someone saying something about encrypted IP's. I think I've seen an example of this somewhere where the person's IP was entirely encrypted with weird symbols and boxes. Of course, only the most dedicated hackers know of how to do this. I highly doubt anyone will teach you. Just letting you know it's possible.

Originally posted by Blackout
Back in my hacker days, I recall someone saying something about encrypted IP's. I think I've seen an example of this somewhere where the person's IP was entirely encrypted with weird symbols and boxes. Of course, only the most dedicated hackers know of how to do this. I highly doubt anyone will teach you. Just letting you know it's possible.

Actually, even if I wanted to, I doubt I could learn how cause language of any kind, let alone computer, is my worst subject and I don't even bother trying to learn anymore.

I don't doubt that there is a way to encrypt the IP, but that would still leave a trace - "the hit would register" as one programer stated...

Here's an idea, but this is completely hypothetical and probably makes no sense at all (computing isn't my first area of expertise:p)

From what i've assertained from various information on the government, the government is currently scanning for "hot phrases/files" in emails, over the web etc like "terrorist kill president" or whatever, and intercepting information relating to this. When they intercept this information, can the person sending and receiving this information tell its been intercepted, and is there any trace of them doing this?

If not, wouldnt there (theoretically) be some way to set up a system whereby you enter what information you are wanting from the internet and use the packets that other people are sending and receiving to get it? Wouldn't that be more or less cloaked?

Originally posted by jesterbr549

Originally posted by 0951Ok, being an overly curious bystander, I'm compelled to ask - what are you not seeing, or more accurately I guess, what are you expecting to see, that you are not ... ?

I am expecting to see specific traffic of 'websites' that I know are visiting my site - but there is no indication that they are visiting my site on the IP Tracker that I use. When I see reference to my Editorials, on a daily basis, on these other sites, than this is all the proof I need, regardless of what some people think of the impossibility of it. I will call this the Grasshopper effect ("when you can walk across this rice paper without leaving any trace it is time for you to be on your way grasshopper")

The possibilities :

1)Total Stealth IP
2)Master Key
3)One person is visiting my site and sending the info to many of the above mentioned entities.

If 1) is impossible than that only leaves 2) for I have also seen very strange things on several other sites that I have used etc, which precludes point number 3) above and, thus, actually makes the most sense.

Thus, if this latter (2) is the case than this thread has run its course and I would need to continue this under the Master Y2Key thread.

First of all, I work as a Senior Security Consultant for a large European consultant-company and I have done so for the last 5 years.
I work with these kinds of questions and get them quite often.

There have been a lot of decent answers about how IP-adresses work, how routing works etc. already in this thread.

You can hide your IP-adress from prying eyes in a website log if you access the Internet through a anonymizing proxy or similar "middleman" service that hides your true IP-adress, You could also hide behind a public surf-computer or an open WLAN, whether this WLAN is meant to be open or just left open.
Something done behind a WLAN could possible be hard to track to a specific computer. Compare to a public surfzone. You connect with a WLAN-card in your box and access the Internet through a wireless accesspoint.

Of course your computer receives an IP-adress, otherwise you wouldn't be able to receive traffic.

Maybe the IP-addres you receive is a "black" IP-adress (192.168. and so on already mentioned in this thread), that is not routable on the Internet and which must betranslated to a valid one on the border device - be it a router or a FW or something else - before entering the Internet or maybe it is a valid "Internet IP-address" (A "black" address btw is of course usable *within* a private network, but cannot be send out onto the publiuc Internet)

The point is that the IP-address issued through DHCP is available to you for a short timeperiod - a "lease time", when you leave the surfzone someone else will probably be assigned the IP-address you just had.

So it can be problematic to bind a specific IP to a specific computer. One way would be to investigate the logs of the IP-issuing DHCP-server which records the MAC-address of the computer that was issued a specific IP-adress. MAC-addresses is supposed to be unique but AFAIK there are no records where a specific computer with a MAC has been sold and I doubt that there ever will be. MAC-adresses can be easily changed etc. and they don't survive routerhops so a MAC is basically confined to the "home-network". (which is not entirely true since you can sometimes query a remote computer of its MAC, regardless of routerhops. The personal ISS Blackice FW do this by using a Netbios query)

I am unsure what you mean by MasterKey?

I think btw that you answered your own question in your option 3, or at least touched the truth.

If I understand this correctly you have a website and often the things you mention on this website ends up on *other* websites, but you cannot see IP-addresses belong to that domain in your logs?

This could have a zillion explanations, the more prbable ones would be that the guys behind the other web-servers don't surf the net from IP-addresses in that domain, maybe their sites are at an Internethotel and their "surfadresses" are somewhere else.

It's no magic here I think and no conspirations either...

But do tell me what you mean by Masterkey...

// K

Originally posted by jesterbr549

I am expecting to see specific traffic of 'websites' that I know are visiting my site - but there is no indication that they are visiting my site on the IP Tracker that I use. [...]

Ah, thanks for the elaboration, that makes sense now.

Are you 100% confident that the IP tracking tool isn't being [in this case] obtuse, and dropping IP's from it's logging - maybe as an option to save logging IP's from, say the same subnet or netblock, or something similar - maybe as an option to save on analysis / storage overheads ?

Originally posted by kickass
I think btw that you answered your own question in your option 3, or at least touched the truth.

This could have a zillion explanations, the more prbable ones would be that the guys behind the other web-servers don't surf the net from IP-addresses in that domain, maybe their sites are at an Internethotel and their "surfadresses" are somewhere else.

It's no magic here I think and no conspirations either...

I'd agree that the explanation could well be something of this sort.

I don't host with my ISP, so I could perfectly fit into this scenario (where you'd see my ISP IP in your site logs, rather than my hosted website IP, but that's where (on my site), you'd read the narrative references, back to your site ... ).

Supporting this explanation: for an assortment of reasons it's not really very good practice to use your server to browse with anyway - back to that old maxim - "servers serve and workstations work" I guess. As a kinda aside - W2003 server adopts this approach straight out of 'out of the box' anyway now - lots of stuff locked down by default (including common browser components), until you explicitly open things up ...

I did very much like the grasshopper analogy btw, but I'm afraid I'm just not seeing the 'masterkey' supposition, alas ...

Originally posted by 0951Are you 100% confident that the IP tracking tool isn't being [in this case] obtuse, and dropping IP's from it's logging - maybe as an option to save logging IP's from, say the same subnet or netblock, or something similar - maybe as an option to save on analysis / storage overheads ?

Yeah this is a good question. When I first became suspicious, I got ahold of my Web Stat service and asked them and they said that if JAVA got turned off somehow, that IT WOULD NOT REGISTER. They checked and only told me "the visitor will register" but they didn't answer any of my other questions in that same email and I wonder if someone had turned off the JAVA on my Stat Service. This, then, begs the question - if so - can they do that anytime they want?

Originally posted by slickIf not, wouldnt there (theoretically) be some way to set up a system whereby you enter what information you are wanting from the internet and use the packets that other people are sending and receiving to get it? Wouldn't that be more or less cloaked?

This is certainly something that needs to be addressed by someone that knows what they are talking about.

However, it doesn't specifically apply in my case for the sole reason that those packets won't register until the Search Engine has recognized them, which gives you a few weeks or more before some thing on my site would turn up on others.

But, I would certainly like to see some comments on that...

Originally posted by kickassI am unsure what you mean by MasterKey?

www.abovetopsecret.com...

I think btw that you answered your own question in your option 3, or at least touched the truth.

If this were the case it would considerablty compound the situation as these other site are susposedly "antagonistic" to each other, to say the least. I have my doubts that this is the case.

If I understand this correctly you have a website and often the things you mention on this website ends up on *other* websites, but you cannot see IP-addresses belong to that domain in your logs?

That's correct and it is an understatement

This could have a zillion explanations, the more prbable ones would be that the guys behind the other web-servers don't surf the net from IP-addresses in that domain, maybe their sites are at an Internethotel and their "surfadresses" are somewhere else.

You miss the point - I would see that someone had called up the specific page that was subsequently used somewhere else. Do you see? I am seeing almost instantaneous response on my material when no one left a trace that they had 'hit' that page...

It's no magic here I think and no conspirations either...

I don't believe in magic. As far as conspiracy well, that is what we are trying to determine.



[edit on 10/28/04 by jesterbr549]

Things may be a little more complicated if things are what you say.
I like that...

First off I would like to comment on your MasterKey thoughts.

If you mean that the MasterKey would be some sort of technology that enables the keeper of the key access to whichever site s/he wants I can say that your idea isn't really correct. There are too much variations on the Internet, too many brands of webb-servers (both Open and Closed source) etc.etc. for this idea even to be feasible.

What could be used as a sort of MasterKey though is various newly-found exploits that haven't been properly patched yet at websites or other servers accepting traffic from the Internet. For instance, the Unicode vulnerability on IIS a couple of years ago could let you into almost every site that ran IIS, until they all were patched up. There is certainly a time-window from when a vulnerability is discovered to when the patches arrive that could be used for exploitation, but I doubt that this is what you meant by MasterKey?

Your problem with your website then:

If I understand correctly now, you have certain pages with information that somehow ends up on other sites very quickly (You mention the words:...almost instantaneous response on my material...) and you cannot see any hits whatsoever to that particular page in your statistics. But the information is "stolen" nonetheless. Is this correct?

If so, I can see 2 plausible scenarios here:

Scenario 1:
Your current statistics feature is flawed

I assume that this is not the webserver logs but some sort of webhotel-provider statistics. You mention Java in your thread, but I am unsure whether your provider has a Java-applet on your page or if you are talking about servlets = Java that runs on a server?

Try to get hold of the web-serverlogs, ie the logs that the webserver itself maintains, not your statistics that you speak of.

Every HTTP command, be it GET, POST or OPTIONS or whatever can be logged together with the IP-address of the client If the logging feature on the server is enabled. If your provider doesn't let you view these logs, consider changing provider. Your "mysterious viewer" will show up in these logs, if they browse to the webserver.

Could you provide me with your URL, either here or in a PM to me so I can take a look myself at your page? If possible, also provide me with URLs to the "other" sites.

Scenario 2:
Your "mysterious viewer" does not browse to your site at all

Perhaps they take the texts from somewhere else, which in this case probably would be your own computer - which I assume is the machine on which you write your texts before uploading them to the web-server?

You may have a RAT (Remote Access Trojan) or similar on your own box that captures keystrokes, intercept your mail etc. I know of several of these trojans that is quite "evil", killing off your anti-virus and your personal firewalls in memory (but pretending they still are in operation since the icons in the statusbar still shows them running).

PM me if you want to know how to check your own box.

// k

I'm willing to bet there's just a problem with the logging software.

Far fetched idea:
What are the possiblities of a hacker entering in the system and deleting any reference to themselves, including the IP's from the web access log?

Have you checked for any root kits)? (I know it's not always possible to tell