An Excercise In Physically Locating Websites
Last weekend I noticed that some local websites had been hacked. I had a good chuckle and moved on. Last Monday one of those hacked websites was reported on in the local paper and without going into the details, you can read the article and comments yourself, I thought it would be fun to quickly explain how to locate a web site’s physical location.
First off, I feel I need to explain whois data for domains. The whois data for a domain is the domain’s owner contact information, nothing more. Anyone who has registered a domain also knows how easy it is to put practically anything you want for this data, and also knows you can change it anytime if you feel like it.
All that said, one could find out through a domain whois lookup, that (umm… let’s just say) glenbar.net is registered through GoDaddy to Glen Barr of Dyersburg TN. Now one could assume that it could be possible, but most likely not, that he would have his website on a server at his house in Dyersburg just because thats the location in his domain contact data. However, I know that glenbar.net is actually hosted on a server located in Scottsdale AZ and managed by GoDaddy.
How do I know this? Well let me tell ya...To get server host information on a domain we first need to find out the ip of the server it’s hosted on. So we roll on over to Dnsstuff and click ‘Free DNS Tools’ in the menu. Next we’re going to enter glenbar.net in the Traceroute box and submit. What shows up next is a list of all the servers that the request had to travel through. For simplicity, we just need to focus on the last ip listed, because thats the ip of the server that hosts this domain.
Next we’re going to go back to ‘DNS Tools’ and enter this ip into the ‘IP Information’ box and hit submit. After that you should get exact goelocation data on that ip including city and country. This is the location of that server. If not, go back and do a trace route again to ensure it didn’t time out early (somewhat common).
You can also try cqcounter.com for both ip and geolocation returns on domains. Maxmind is also very highly regarded as experts in geolocating by ip. Or just do a search in Google for ‘ip by domain, host location by domain, ip location’ or any variation, theres a slew of sites that do it with different levels of accuracy. Just remember we are not looking for domain whois data, but we went through that right?
So what do we get out of all this looking back on our local website hacked last weekend? Do this process on dyerhistory.com(the site reported on), pelican360data.com (the site in question), hometownnetwork.net, dyersburgscene.com, dyersburgtn.com, and neilsbbqandgrill.com (all hacked the same way). As of last Tuesday it revealed an interesting pattern…