Locating a server

I visit a forum which is said to be off-shore.

Whois indicates a US Network and US Domain name registration.

Are there any other tools at my disposal to truly determine if the forum
is truly hosted overseas i.e. Not on US soil.

Many thanks

Mr Free User

Mr Free User wrote:
> I visit a forum which is said to be off-shore.
>
> Whois indicates a US Network and US Domain name registration.
>
> Are there any other tools at my disposal to truly determine if the
> forum is truly hosted overseas i.e. Not on US soil.
>
> Many thanks

Go here

http://www.dnsstuff.com/

And put the domain into the TraceRoute box.

Typing tracert yourdomain.com from a command prompt will lead you to the
same place but the dnsstuff page will give you more information.

CJ

CJ

CJ wrote:
> Mr Free User wrote:
>> I visit a forum which is said to be off-shore.
>> Whois indicates a US Network and US Domain name registration.
>>
>> Are there any other tools at my disposal to truly determine if the
>> forum is truly hosted overseas i.e. Not on US soil.
>
> Go here
> http://www.dnsstuff.com/

Thanks been there already.

The IP leads to Colorado US.
DNS Registrant is US.

Could this IP then forward to an offshore location?

Mr Free User

On Sun, 05 Mar 2006 23:54:34 +0000, Mr Free User <>
wrote:

>CJ wrote:
>> Mr Free User wrote:
>>> I visit a forum which is said to be off-shore.
>>> Whois indicates a US Network and US Domain name registration.
>>>
>>> Are there any other tools at my disposal to truly determine if the
>>> forum is truly hosted overseas i.e. Not on US soil.
>>
>> Go here
>> http://www.dnsstuff.com/
>
>Thanks been there already.
>
>The IP leads to Colorado US.
>DNS Registrant is US.
>
>Could this IP then forward to an offshore location?
###############################
I can register a domain in the US and pay someone in europe to host
the site. Why don't you tell us the IP and the name of the forum and
we'll look.

donnie

"Mr Free User" <> wrote in message
news:440b2215$0$48822$ reenews.net...
>I visit a forum which is said to be off-shore.
>
> Whois indicates a US Network and US Domain name registration.
>
> Are there any other tools at my disposal to truly determine if the forum
> is truly hosted overseas i.e. Not on US soil.
>
> Many thanks


Why not try tracert ipaddy and see where it takes you???

Open a DOS windown and type tracert IP <enter>


Dazza

Dazza

Mr Free User wrote:
> CJ wrote:
>> Mr Free User wrote:
>>> I visit a forum which is said to be off-shore.
>>> Whois indicates a US Network and US Domain name registration.
>>>
>>> Are there any other tools at my disposal to truly determine if the
>>> forum is truly hosted overseas i.e. Not on US soil.
>>
>> Go here
>> http://www.dnsstuff.com/
>
> Thanks been there already.
>
> The IP leads to Colorado US.
> DNS Registrant is US.
>
> Could this IP then forward to an offshore location?

As I understand it, if the trace route ends in Colorado, that is where the
server is.

If the server then sends you somewhere else when you open the page, that
must be another IP/domain, in which case you should see that in the address
bar of your browser.

Why not post the IP/domain and let others here try to locate it?

CJ

CJ

Mr Free User wrote:

> CJ wrote:
>> Mr Free User wrote:
>>> I visit a forum which is said to be off-shore. Whois indicates a US
>>> Network and US Domain name registration.
>>>
>>> Are there any other tools at my disposal to truly determine if the
>>> forum is truly hosted overseas i.e. Not on US soil.
>>
>> Go here
>> http://www.dnsstuff.com/
>
> Thanks been there already.
>
> The IP leads to Colorado US.
> DNS Registrant is US.
>
> Could this IP then forward to an offshore location?

Yes, and no. It's possible that records point to an errant country of
record, but once an IP resolves to a machine it's not going to be
"forwarded" anywhere. Even if it is it wouldn't matter because all content
would have to pass through that server anyway, so it's as equally open to
being compromised.

It's also possible you're looking for the wrong thing. The server
'www.somehost.com' can be a completely different machine from
'forums.somehost.com', for example. And plain old 'somehost.com' might
resolve to a third place entirely.

IOW, if there's an error it's either in someone's records, or your
detective skills. And it's mostly irrelevant either way, except that if
it is true it proves someone "untrustworthy" to put it politely.

There's also an issue of why claims of "off shore" are being made in the
first place, and the usefulness and validity of political boundaries as a
"security tool" to begin with. In a surprising number of scenarios it's
discovered that machines located in remote locations are more vulnerable
to the types of compromises they claim to be safer from. TLA snoops have
considerably more authority in some places than they do others, and
agreements between jurisdictions can actually make it EASIER to compromise
a remote machine than it is one in your own back yard. To know if a
particular server is "safer", one has to examine not only the laws of that
location and their own, but the relationship between the two.

If you want real answers, give real information. Tell the class what forum
you're talking about specifically, and we'll check to make sure you're not
looking at the wrong IP to begin with, then tell you exactly where it's
located with a really high degree of accuracy.

George Orwell

George Orwell wrote:
> If you want real answers, give real information. Tell the class what forum
> you're talking about specifically, and we'll check to make sure you're not
> looking at the wrong IP to begin with, then tell you exactly where it's
> located with a really high degree of accuracy.

As requested opreview dot net

Mr Free User

CJ wrote:

>>> Go here
>>> http://www.dnsstuff.com/
>>
>> Thanks been there already.
>>
>> The IP leads to Colorado US.
>> DNS Registrant is US.
>>
>> Could this IP then forward to an offshore location?
>
> As I understand it, if the trace route ends in Colorado, that is where the
> server is.

First, how do you know the traceroute ends in Colorado? It shows you a
resolved name and an IP, and a bit of assurance in that you can sometimes
see locational information in hops just prior to your destination, but in
the end you're left with imperfect information at best. Geolocation and
CDIR information aren't always completely accurate.

> If the server then sends you somewhere else when you open the page, that
> must be another IP/domain, in which case you should see that in the
> address bar of your browser.

Not necessarily. There's any number of ways to transparently forward data
from one location to another. More commonly this is done by clients to
give the appearance that they are the ones residing in falsified
locations, but the exact same technology can be applied to the other end
of the connection. The same VPN setup that makes you look like you're
surfing from your privacy provider can make it appear as though the web
page you're downloading is coming from what amounts to an "anonymizing
proxy", to put it in common terms.

You're not always looking at information that's fed directly form the
machine you're getting it from. A good example would be Google, which
feeds people data from any number of server clusters in God knows how
many different locations, but does it in such a way that you only see it
as a page coming for a single machine. This sort of distributed database
really isn't at all that uncommon. It would probably be unusual for a
little known web forum to be using it, but I could see how/why they might
want to simply "proxy" the forum entirely.

Just some thoughts.....

George Orwell

On Tue, 07 Mar 200600, in the Usenet newsgroup alt.computer.security, in article
<440d66cb$0$76207$ ews.net>, Mr Free User wrote:

>George Orwell wrote:
>> If you want real answers, give real information.

>As requested opreview dot net

Registrant:
Miriam Schonberger
Miriam Schonberger ()
12-150 E Briarwood Ave Suite
348
Centennial
Colorado,80112
US
Tel. +1.30364998

Creation Date: 03-Feb-2006

However, that smells funny. 'Centennial, Colorado' is a suburb of Denver,
about 16 miles South of the state capital building. The address itself
seems to be munged.

[compton ~]$ host opreview.net
opreview.net has address 72.20.26.169
opreview.net mail is handled (pri=0) by opreview.net
[compton ~]$ host 72.20.26.169
169.26.20.72.IN-ADDR.ARPA domain name pointer spunk.voltnet.org
[compton ~]$

Voltnet.org is hiding their registration information through a mailbox
at what appears to be the UPS Store at Los Angeles International Airport.
The registration data also has what appears to be "inconsistent" information.
The nameservers authoritative for opreview.net are _registered_ in "Dublin,
Ireland, again with "inconsistent" information, but TTLs strongly suggest
otherwise.

The IP address is assigned to Staminus Communications in Fullerton, CA,
but it doesn't appear to be on line at the moment, and Staminus is not
responding to whois queries. A trace blackholes in Los Angeles. Ah, it's
a firewall - looks like the facility _MAY_BE_ in Irvine, CA.

However as others have pointed out, that itself is meaningless. Were you to
look up my employer, you'd find a New York state address, but the last host
to respond to a trace is near San Francisco. Looking at my headers, you'd
find I'm probably in Arizona, but other facilities of the company are in
Japan, France, Brazil, and elsewhere. Oh, and I'm not posting from their
address space.

So the question is, why is it important that the server be 'off-shore'?
There is (without legal intervention) very little you can do to trace it
to an actual location, and who knows - it might be being forwarded to a
server in a basement across the river from Bethesda, Maryland (though I
doubt that very much - to crude). I'll say this much - the server is trying
to hide a lot of data.

Old guy

Moe Trin