Friday, March 7, 2008

Note: Since I work for Intel I wont "even in my personal life" divulge any personally identifiable information (PII) of an employee or consumer so the details below while going on are altered for examples sake only so you can see what I woke up to this morning. Plus IP address lookups is not an exacting science by any means where the web and Internet are concerned.

It seems that this morning I noticed quite a few errors in our web sites event logs (fed to me via RSS) so I peeked at a few and noticed some alerts that a person is attempting to use one of our services in a way it is not intended. Pretty funny that people are now even working on trying to hack AJAX based applications add-ons.

When I woke up this morning I opened up Firefox and all my usual tabs which include Google Reader where I have lots of subscriptions set up. One I like to monitor is a pointer to the event log on our Web Server. For this I have taken a copy of the Event Log RSS Feed Generator found on and added it on our server for easy consumption of Application errors which all of our application write to the log.

With all of Intel Software Network Windows Web based offerings I like to log all error's in one place so I can fix these later and in the case of what is going on today I see that some user is attempting to try and use our "Email a Friend" feature to try and send spam out to users. They have made more than 40+ crafted attempts so far which is getting quite annoying to have to flit through and we have reports on the administrator side as well so there is no chance we would not catch this person if the emails started being sent so no issue there..

Our "Email a Friend" feature is part of our "Common Services Framework" which are shared over our entire Intel Software Community website and this piece is a bit of JavaScript code using jQuery tools/plug-ins from that very open community which I so love. This feature can be found here as well for examples sake on the Intel® Software Network home page.
I wont open up and say what restriction they are hitting up against as I don't want to get into IP address banning as well but suffice it to say they are not doing well and getting past the simple security I put in place. Below is a partial bit of the errors I am putting into the event log. Nothing special here and as this person has made so many attempts to try and tier off our own internal email tool I don't feel so bad sharing it.

The following details are fictionalized as the IP address below was just made up for examples sake and to show off the code. In no way does it represent any real persons known details and is for illustration purposes only. Here is a snippet of the error details

You can use

Source: Home
Type: System.Exception
Message: Hacker Detection ----- Poster Details in this JSON object ----
[if ( typeof(getIPDetailsCallback) == 'undefined') var ipAddressDetails={"__type":"Home.IPLookupResults, Home, Version=1.0.2901.17376, Culture=neutral, PublicKeyToken=null","ipAddress":"","name":"Sydney","countryName":"AUSTRALIA","countryAbbrev":"AU","coordinates":"151,-34"}; else getIPDetailsCallback({"__type":"Home.IPLookupResults, Home, Version=1.0.2901.17376, Culture=neutral, PublicKeyToken=null","ipAddress":"","name":"Sydney","countryName":"AUSTRALIA","countryAbbrev":"AU","coordinates":"151,-34"});] attempted to send email through our website.. You can use to check that IP addrress if need be..
Stack Trace:
at Home.CommonServices.ProcessEAF(String eafmessage, String eafsubject, String eafurl, String eafemail, String eafrecipentemail)'

Notice that I pull the user IP address of the user and give that in the error message with easy linking to user details. Yes, I suppose from this we could track down this uers local constabulary as ask them to make a visit or something like that but no real point in doing that as it's an endless chain of politics. Make it a point to visit home page try your own IP address and see if it close on the map they present. Hostip's map feature is quite neat but I notice that GeoBytes give perhaps better details.

GeoBytes gives the following details but I dont see a pluggable API to use. Here is the GeoBytes lookup on this sample IP address above which gives an even more detailed and perhaps exacting lookup details.

Note that they accuracy of these details are always in question. I proffer the correct sequence for Getting a Users IP address below but it can be far from accurate for many reasons. Our own internal proxy has users thinking that I am in Santa Clara when in fact I am in Portland.

Here is some code that does the work of putting these details together.

If your into C# here is the code that pulls the details for the users IP and from that the Geo data for this user.

public static string GetIPDetails(string P1)


string rtnVal = "// Nothing";

string ipAddress;

if ( P1 == null || P1 == "")

ipAddress = GetUsersIP();


ipAddress = P1;

IPLookupResults ilrs = new IPLookupResults();

ilrs.ipAddress = ipAddress;



if ( !(ipAddress == null || ipAddress.Length == 0 || ipAddress == "unknown"))


rtnVal = GetUrl("" + ipAddress);

XmlNamespaceManager xmnsmgml = new XmlNamespaceManager(new XmlDocument().NameTable);



XmlDocument xd = new XmlDocument();


ilrs.ipAddress = ipAddress; = xd.SelectSingleNode("/lc:HostipLookupResultSet/gml:featureMember/lc:Hostip/gml:name",xmnsmgml).InnerText;

ilrs.countryName = xd.SelectSingleNode("/lc:HostipLookupResultSet/gml:featureMember/lc:Hostip/lc:countryName",xmnsmgml).InnerText;

ilrs.countryAbbrev = xd.SelectSingleNode("/lc:HostipLookupResultSet/gml:featureMember/lc:Hostip/lc:countryAbbrev",xmnsmgml).InnerText;

if ( !( == "(Unknown city)" || == "(Private Address)"))

ilrs.coordinates = xd.SelectSingleNode("/lc:HostipLookupResultSet/gml:featureMember/lc:Hostip/lc:ipLocation/gml:PointProperty/gml:Point/gml:coordinates",xmnsmgml).InnerText;



catch (Exception ex)

{ = ex.Message;


rtnVal = AjaxPro.JavaScriptSerializer.Serialize(ilrs);

rtnVal = "if ( typeof(getIPDetailsCallback) == 'undefined') var ipAddressDetails=" + rtnVal + "; else getIPDetailsCallback(" + rtnVal + ");";

return rtnVal;


public static string GetUsersIP()


System.Web.HttpContext current = System.Web.HttpContext.Current;

string ipAddress = null;

if ( current.Request.ServerVariables["HTTP_CLIENT_IP"] != null)

ipAddress = current.Request.ServerVariables["HTTP_CLIENT_IP"];

if ( ipAddress == null || ipAddress.Length == 0 || ipAddress == "unknown")

if ( current.Request.ServerVariables["HTTP_X_FORWARDED_FOR"] != null)

ipAddress = current.Request.ServerVariables["HTTP_X_FORWARDED_FOR"];

if ( ipAddress == null || ipAddress.Length == 0 || ipAddress == "unknown")

if ( current.Request.ServerVariables["REMOTE_ADDR"] != null)

ipAddress = current.Request.ServerVariables["REMOTE_ADDR"];

if ( ipAddress == null || ipAddress.Length == 0)

ipAddress = "unknown";

return ipAddress;


public class IPLookupResults


public string ipAddress = "";

public string name = "";

public string countryName = "";

public string countryAbbrev = "";

public string coordinates = "";


Net World Map Project is also a good resource page.

Hope you can make use of this in your own endeavors.

Kevin Pirkl

No comments:

Blog Archive