Today I recieved my very first real live troll. The person loved me so much they read at least three separate articles. The only reason I know they read three separate articles is because I recieved three different comments, one per article. If feel so happy I'm posting all three of them today! I'll take it directly from haloscan so I don't miss any information:
So why does the US sponsor terrorism worldwide, including in Iraq? Come on blame everything on Zarqawi--as if the US paid him enough already to do that much stuff!
10.06.04 - 6:57 am
Can't Pole kielbasa halal no matter how you blow up those sausage heads. Die Polish scum, die.
10.06.04 - 6:55 am
Why They FightWho will win the 15 year long US-Iraq Conflict? What sort of post-war society will result in Iraq? What sort of post-war society will result in the USA?For the US nationalists (including quite a few 'leftists'), a brink draws into view, as they are forced to contemplate the unthinkable: A few thousand rag-tag Iraqi Arab insurgents stood up to the Americans when all the world scurried to do the US's bidding.
Will the future accounts write: The Iraqi insurgency saved the world from American hegemony, and started a chain of events that caused the US permanent war, homeland security, national security state and military empire to implode.
10.06.04 - 6:53 am
I'm not going to comment on the grammar, wording or lack of substance in these comments. I'm going to concentrate on where he screwed up.
Source Tracing 101
What can we discover from the Haloscan data that we normally could not from a standard comments system?
The name: BUSHSUCKS, although not very original is fairly standard in most comments systems. Many typepad accounts will force you to log in before you comment giving you a registered name. Unfortunately, they are not free. So, nothing to be gained from the name.
Email: BUSHSUCKS@eatmeyouwarwhore.com, he got fairly creative with the wording. (Note to self: forward "eat me you war whore" to Daisy for her collection of Ad Hominem's.) Unfortunately, the email is obviously bogus, creative but bogus. I noticed that Citizen Smash checks your first comments for validity and constructiveness and I am fairly sure that this would not pass his litmus test. So the e-mail is out what's next?
IP: 220.127.116.11, in the words of many a hacker: pwn3d! Many people do not realize that their IP is tagged on nearly everything they do on the internet. Haloscan, as you can see, records your IP every time you make a comment. As usual, Haloscan Rocks! The standard blogger comments system, powered by pyra, does not provide you with a source IP. So, now that we have the source IP what do you do with it?
Hunting the IP
Frigentenly enough, the most powerful tool in your arsenal is PING. Ping has the dual ability of normally determining if a system in the world is online and, DNS willing, the name of the system as well. As a network security professional this is my most frequestly used tool.
Another very important tool is the NBTSTAT command. This command, when used properly, will tell you the machine name, online status, open shares, and the hardware address (or MAC address). Sometimes a system will have shut down your ability to ping it. Sometimes they forget to turn block out NBTSTAT as well. It's always a good backup strategy.
Okay, now what if the box is offline? There is an agency that has control of all IP's in the world. They are called the American Registry for Internet Numbers or ARIN for short. If anyone wants to buy a block of IP's they have to do it through ARIN or one of its subsidiaries. The tool on ARIN's site that will tell you who owns what IP is called WHOIS. All you have to do is punch in a couple of numbers and some dots and POOF! you get the owner's address, email, address, and sometimes a phone number and administrator's name. Remember, this gives you the owner of a BLOCK of IP's, not every individual IP. It will narrow your field down remarkably.
Now that the very basics have been provided to you, and I do mean very basics, we can endeavor into a practical application.
So why is Tororu (Japanese for Troll) so important?
Here is our Source IP:
Our first task is to attempt a ping:
c:\>ping -a 18.104.22.168
pinging 22.214.171.124 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 126.96.36.199:
Packets: Sent = 4, Recieved = 0, Lost = 4 (100% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
Okay, it appears he is not online or ping is blocked. Let's go to our next step: NBTSTAT.
c:\>nbtstat -a 188.8.131.52
Local Area Connection:
Node IpAddress: [184.108.40.206] Scope Id 
Host Not Found.
Apparently, the box is really down. As our last step today we go to ARIN for a general idea of where this guy is coming from.
Search results for: 220.127.116.11
OrgName: Japan Network Information Center
Address: Kokusai-kougyou-Kanda Bldg 6F
Address: 2-3-4 Uchikanda
NetRange: 18.104.22.168 - 22.214.171.124
NetType: Direct Allocation
Comment: Japan Network Information Center(JPNIC) is an
Comment: National internet registry of Japan. Please search
Comment: whois.nic.ad.jp for more information about this range.
Comment: % whois -h whois.nic.ad.jp ***.***.***.***/e
TechName: Japan Network Information Center
OrgTechName: Japan Network Information Center
# ARIN WHOIS database, last updated 2004-10-06 19:10
We've now narrowed it down to Japan. Many people would stop here but not me. I went to www.jpnic.net and did WHOIS again. Here's the results:
[ JPNIC & JPRS database provides information on network administration. Its ]
[ use is restricted to network administration purposes. For further infor- ]
[ mation, use 'whois -h whois.nic.ad.jp help'. To suppress Japanese output, ]
[ add'/e' at the end of command, e.g. 'whois -h whois.nic.ad.jp xxx/e'. ]
Network Information: [ネットワーク情報]
a. [IPネットワークアドレス] 126.96.36.199
b. [ネットワーク名] FINES
f. [組織名] 福井大学
g. [Organization] Fukui University
m. [運用責任者] KA045JP
n. [技術連絡担当者] MT1650JP
n. [技術連絡担当者] SS129JP
p. [ネームサーバ] ns.nca5.ad.jp
p. [ネームサーバ] icpc.icpc.fukui-u.ac.jp
y. [通知アドレス] email@example.com
[最終更新] 1999/01/13 12:09:50 (JST)
It looks like Fukui University owns the IP block of 188.8.131.52. Unless it's a HUGE university I suspect they are sub-leasing their IPs, possibly through a modem bank. I'll be awaiting another call from BUSHSUCKS for further analysis. Yes, my very first troll came all the way from Fukui University in Japan to spread his love on me. I shall dub him Tororu, the Japanese word for troll. I'm an international star!
I hope you have enjoyed your course on Source Tracing 101. If you have any questions or comments feel free to annotate. But remember, I'll have your IP ;) .
If anyone would care to make an analysis of the text of BUSHSUCKS' comments I will post them here tommorow.
37 minutes ago