Quantcast

Pwned by the Owner 2: Tracking Down the Thief’s Whereabouts

Trying to get his stolen computer back, Andrew ‘Zoz’ Brooks sought ways to figure out where it was, and had some success owing to smart cyber tricks.

Learning the Machine’s Location

No success searching eBay and Craigslist

No success searching eBay and Craigslist

What I did have was the serial number of the machine and the stats of what machine it was, so I started to look for it in the kind of usual places you would think someone would dispose of a machine: I started searching eBay and Craigslist for months and I didn’t find it. Fuck!

DynDNS Updater – might help

DynDNS Updater – might help

Someone asked me almost immediately when it got stolen: “If it gets plugged back into the network, will you be able to find it again?” And I thought: “Yes, I’m running a DynDNS Updater. It will update the domain record and I’ll see it again!”

And then I thought about it a bit more: “Well, the machine is set to auto-boot into single user mode. So my data security policy at that time could definitely have used ‘work’,” and I thought: “Well, the guy could boot into it, but it’s not going to get back on the network, because I’m pretty sure the network settings are locked and it’s on an intranet, so the thief is not going to be easily able to reconnect it to the network, unless they happen to have an intranet with the same settings as I did – unlikely.” So, fuck!

Even with my legendary stubbornness, I eventually gave up looking for the machine on sale sites and trying to get people to go to places for me. I was in San-Francisco filming “Prototype This!” at that time, and I was trying to get people in Boston to go to flea markets for me and look for it, and they’re telling me to fuck off, as you would expect.

DynDNS account expiration warning email

DynDNS account expiration warning email

So, alright, time passes. Now, if you use DynDNS and you use the automatic updating service, if you don’t update it for a while you start to get messages like this (see image) which say: “Your account looks inactive, so you can either just let your account be deleted or you can click on this link and reactivate it.”

I would click on these links once a month, because I thought: “Why set it up again if I start using it again?” And at some point I noticed something; I thought: “That’s funny; I don’t remember getting one of those emails in a while. I wonder what’s up with that.”

DynDNS host update log

DynDNS host update log

So I log into DynDNS and there I see: holy shit, 2 years later that domain record has started to be updated. What the fuck? So, I quickly nslookup the IP, and… pretty interesting: my machine that was stolen in Boston now seems to be on a cox.net dial-up in Las Vegas (see image below).

nslookup

nslookup

So I called the cops right away, and they said: “Oh yeah, we’ll subpoena that IP record.” And I said: “Well, you’ve got to make sure that you get a historical record for this, because this is a dial-up, a dynamic IP, it’s going to change a lot, it’s going to be totally worthless if you look it up now and it’s not assigned to anyone or it’s assigned to someone different.” And, sure enough, they came back a month later with the subpoena results that said that the IP address wasn’t registered to anyone. No shit.

Remote Access Fun

SSH did the trick

SSH did the trick

I wasn’t staying idle in the meantime waiting for them. First thing I did of course was ping it and see if it was up, but it wasn’t: you know, it’s a dial-up, it’s not always online. So let’s do that thing a whole shitload all the time and wait for it to come back. And sooner or later it did come back. Let’s see if we can still SSH into that box (see image above). Fuck yeah!

VNC works wonders!

VNC works wonders!

SSH is not the only service I’m running on that machine, I’m also running VNC, so let’s see if that’s still up (see image). So, I can still SSH to it, I can still VNC to it; the machine has not been rooted, reformatted or locked down. But he did at least go to the travel of changing my desktop background, I’ll give him that.

Now, this is a Macintosh, so we can enter things on the command line that make it do things: like, text a speech that comes out of the built-in speaker with no apparent window or source: “I am going to get you, motherfucker!”

 
Read previous: Pwned by the Owner: What Happens When You Steal a Hacker’s Computer
Read next: Pwned by the Owner 3: VNC, Browser Cookies and Keylogger to the Rescue

Like This Article? Let Others Know!
Related Articles:

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: