WhoDat - Roosl's WhoIs/Web Utility - User Guide
WhoDat - Roosl's WhoIs/Web Utility - User Guide
Introduction
Thank you for trying and purchasing Roosl's WhoDat! I'm certain you'll love this program as much as I did putting it together. Remember... Support is always just an e-mail away!
This utility program provides methods of identifying who web addresses belong (or are registered) to. As well, using information such as URLs (links), e-mail addresses, e-mail headers and domain names, you can see where information really comes from, and where URLs really take you when you click on them, and even read the web page's source code to see what it might be doing (such as malevolent javascript) other than displaying information.
This program actually came about as a result of my investigation into (and curiosity about) fraudulent "phishing" spam e-mail. As part of this guide, and an example of real use, I'll share with you the actual e-mail data and the steps used with this software to delve into the origin of the mail and the way these fools "hijack" your browser and a major bank's website.
Standard "Who Is" searches.
Get "Who Is" data by domain or IP address.
Finds the IP address for a host, or host name from an IP address.
View the source code for any web page.
Features:
Fraud tracking
- An example of tracking an actual spam/phish email is below.
Cache (store history) up to 1000 searches.
Save search results to text files.
Instructions...
Setup and Processes:
The detailed instructions describe the input fields (edit boxes), options (checkboxes), and processes.
Be certain to see the setup, trial period and licensing agreement section below.
This image of the program interface is a context map to sections of the help text below. You may click an area (button, box, etc.) in the image to jump to help for that item. Your mouse pointer will indicate each help section as you move it over the image:
In the application itself, you may move among the fields, boxes and buttons with the TAB key and with Alt-keys as well as your mouse. The Alt-keys are underlined on the screen. For example, holding Alt and typing X is the same as clicking the Exit button.
A tutorial example of tracking fraud (using an actual spam e-mail I received) is provided below as well.
Free Trial Period and Licensing
You may try this program free for 30 days. Anytime during the trial period (and certainly when it expires), you may purchase a permanent license if you like the program and want to keep it.
During the trial period, when you start the program, a reminder box similar to this one will pop up which displays the number of days remaining in your trial period.
A license code can be entered into this box at any time during the trial period. If the 30 days have expired, this box will let you know, and the program will not run unless you enter a valid license code.
After you purchase a license (via PayPal) at my website, you will be sent a license code in an e-mail message. You simply paste this code into the box and press the "Accept" button. During the trial period, you may just press Cancel.
Once you have applied a valid license, all functionality is available, and the reminder box will stop annoying you! You may download the newest version anytime without purchasing a new license, and you'll receive news regarding updates!
You may purchase your license anytime via the PayPal button displayed on the page where you downloaded the program. The "Register" button on the license prompt box will open your browser and direct you to the web page.
Initial Setup and Install Options
I suggest you check the download page (if you didn't just read it) for newest information regarding Vista UAC and other notes I may have added since this guide was updated.
The first time you run the program, the following screen appears:
You may keep the program where you have it, or have it installed elsewhere, such as the suggested location. Either way, you may also opt to have it automatically create a shortcut on your desktop. Once setup is complete, the program will restart from its installed location and be ready to go. The 30 day free trial period will then begin.
Everything the program needs is kept in the same folder. This includes the User Guide HTML file (and its images), supporting libraries (DLL), and data. All other files bundled with the program are extracted into this folder whenever the program is run.
If you get an updated program later, you should copy it into the same folder (you may of course rename the existing one as a backup precaution). If the new copy contains other updates (to the User Guide for example), they will automatically be extracted again.
If you delete any of these files, the bundled files will re-appear the next time you run the program. If you delete your data files (.dat), you will lose all of your search records (cache) and settings!
The first time you run the program, the following screen appears:
Review our agreement, and acknowledge by pressing "I Agree". If you do not accept the agreement, press Cancel and the program will exit. Once accepted, the agreement screen will no longer pop up, and you may proceed.
Usage Details
Here are the details of the options and setup, as well as certain handy features...
[Edit box]Domain, E-mail or IP Address:
Enter the domain, website URL or an IP address you want to search for. For example, you may enter "Roosl.com", "www.Roosl.com", "http://Roosl.com", or "64.140.128.15". For a whois search, all you need is a domain name, but I've found that some IP addresses are only found with or without the "www.". So, if a record is not found one way, the program will automatically perform a second search.
For the "Get Source" option, enter a fully qualified URL, such as http://Roosl.com. This will get the default "home" or index page at the URL. If you know the specific file name under a domain, you may enter the full URL to that file. For example, http://www.roosl.com/cm.html will retrieve the HTML code for my page on Configuration Management. Note that you can get any file this way, not just HTML. Files retrieved at websites ending in PHP, ASP, CFM, etc. are still just HTML text files, but you may not see the same text later, as many of these are dynamically generated. Unless you're familiar with the content, some (even pure HTML) may appear to be hard to read, even if only because their authors are slobs.
[Down Arrow]:
Use this button to select a previous record from your cache (history). As you use the program, each of your searches are stored, and this down arrow displays them in order. The last record displayed is shown as the current. When you select a record from this list, or type one in the box which matches an existing one, that record's last search results are immediately loaded into the display from your cache.
When you click the "Go" button, whatever is in the domain name box is searched for. So, an existing record will be searched again, and the results data replaced (updated). A new record will be added to the cached list.
[Box]Display only:
This is a display-only indicator. If you're offline, it will appear red. Otherwise, it will be green. This is only an indicator, and with DSL, it may sometimes be red, although you are online. That's OK, but if you use dial-up, this is just handy. If you're not online, new searches will seem to take awhile, only to come back with no data (duh). Hence, the friendly indicator.
[Box]Display only:
This is a display-only box which shows the IP address of the current host displayed (to its left).
[<Button]Left arrow:
When the current record is not the first or only record, this arrow button will go to the previous record.
[Button>]Right arrow:
When the current record is not the last or only record, this arrow button will go to the next record.
[Up/Down number box]:
This lets you control the size of your cache (history). Depending on how many records you would like to store, you may set it for any number from 10 to 1000. I figured less than 10 was silly, and 1000 is a good max. The default setting is 100.
If a new search (record) is within 5 of your cache limit, the color of the cache setting will be yellow. If you reach your limit, it will turn red, and new searches will begin replacing the oldest, unless you increase your setting.
[Check box]:
Sorry, this option is disabled during the free trial!
When this box is checked, hitting the Go button will retrieve the source code for the specified URL. Unchecked, a standard whois search is performed.
Grabbing the source of a file on the net can be interesting. As you'll see in my fraud research below, it can also help you to see what a web page is actually doing besides the intended and assumed display of information. While even benign authors such as myself would probably prefer that no one "steal" their code, it's not possible to hide it. Even though the View/Source menu item can be disabled, and javascript can prevent you from doing a right-click to view the source of a web page, you can always do a File/Save as HTML (with Internet Explorer anyway). So, given the value, over the paranoia of honest folks (and certainly the malefactors), feel free to use this handy feature!
[Button]Go:
Clicking Go performs the specified search. If a name (domain, file, etc.) is entered, the program first finds the IP address for that host. If an IP address is entered, it will try to find the host name for that IP. An IP address is currently a four place (separated by dots) numeric string (such as 64.140.128.15).
If an IP or host cannot be found, "host not found" will appear for an entered IP, and "?.?.?.?" will return as an IP not found. If this occurs, it may be for any number of reasons. Valid reasons include a server simply being offline. Others may indicate a bogus or disappearing domain, such as those used for fraudulent means.
A "whois" search is performed as follows: Three popular and dependable whois servers are queried. First, internic.net is asked. This server finds most records for most domains (.com, .net, etc.). If internic finds no record, then uwhois.com is queried. This server usually finds records not found at internic, such as .org, .edu, and many foriegn top level domains. Finally, the IP address is queried at arin.net. Arin usually replies with information regarding an organization responsible for many IP addresses or ranges of IPs. Arin is not queried if there is no IP address. Sub-queries are automatically performed when another whois server is indicated in the returned record. For example, the record found at internic for roosl.com shows that network solutions' whois server has the details, so that server is also queried. Sub-queries may not return data if the whois server is not configured for the standard port 43.
You may search for variations of a domain name. For example, if you enter just "google", it will find that there is a google.net and a google.com. You may then search for these specific names. In the case of google, the .com and .net are the same guys. However, this is not always the case. My ISP is extremezone.com, but there is also an extremezone.net, which is an entirely different thing.
While a search is running, returning data will display, and "Searching" will appear instead of the current time. You must wait for a search to complete, as buttons are disabled. When done, the display will contain the complete results.
[Button]First Page, Previous, Next, Last Page
When a search results in large amounts of data (greater than 10k), such as some source retrievals, buttons appear below the display so that you may move among the pages of data.
Results Record n of n:
This item shows what record, of how many currently in your cache, is currently displayed.
[Button]Delete:
Clicking Delete will delete the current record and results data from the cache. The next records (if any) will be moved up, so if you delete record 2 of 3, you'll have 2 records (no. 3 will become no. 2).
[Button]Save as:
This allows you to save the data currently in the display window to any text file. An existing file will be replaced, not appended.
Tutorial example - Tracking actual fraud.
As you may know from the news, there are many fraud spam e-mails going around that appear to be from banks and other financial services. They use the real website's logo and other images, as well as their standard copyright and privacy statements, etc. They invite you to click on a link to update or enter your account number and such, in such language as to infer urgency, and many people fall for it!
I receive many of these, and I forward them to the fraud reporting address at the real (company), and to the FTC. I chose one of these e-mails recently, from "US Bank" (where I have never had an account, by the way) and did the following research. How I used (what became) this program, and the actual data and findings are here for you as an example of two things:
One: Never fall for such fraud. It's actually easy to spot if you know what to look for (although most of the time, it's obvious). I won't even get into the poor grammar and spelling and other obvious stupidity these people show.
Two: A good example of real uses for a program such as this one.
First, I looked at the mail's header. You should have a means of doing this. With Outlook Express, it's easy.
[plug] Roosl's Mail Filter records all your mail headers for easy viewing, whether the mail is blocked or not. [end plug].
In the mail header...
Return-Path: <800USBank@usbank-email.com> X-RAV-Header: Scanned Received: from ACB3D341.ipt.aol.com ([172.179.211.65] verified) by email.accessus.net (CommuniGate Pro SMTP 4.1.8) with SMTP id 250784226 for roosl@roosl.com; Sun, 01 Aug 2004 20:50:12 -0500 Received: from 162.119.249.232 by 172.179.211.65; Mon, 02 Aug 2004 03:46:09 +0100 Message-ID: <PNHXLBWABXAHLMXBDGNLZQ@msn.com> From: "U.S. Bank" <800USBank@usbank-email.com> Reply-To: "U.S. Bank" <800USBank@usbank-email.com> To: roosl@roosl.com Subject: New U.S. Bank Security Standards Date: Mon, 02 Aug 2004 03:49:09 +0100 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="--12131497111290587723" X-IP: 144.192.106.124 X-Priority: 1
... note the mail originated from an IP address, 162.119.249.232 (although the "from" and "return path" show "usbank-email.com"), and was received by my ISP's server from an AOL address. The message ID is from an MSN account. So, right away we know (1) US Bank is not going to send mail to it's customers from AOL or MSN, right? Now, who is 162.119.249.232?
I enter the IP address 162.119.249.232 into the search field and click Go. That address is only found as one of a medical care system's servers. Again, obviously not from where US Bank would be sending notices. Perhaps this clown works at this unknowing company and spends his time at work perpetrating fraud for his cohorts?
In the HTML body of the mail, we see that the link to "..login to your account so that we can check your computer system for new standards compatibility.." actually directs our browser to the URL http://218.55.62.2/us2/index.php (you also need to be able to view the underlying mail message HTML. Passing your mouse over the link in the message looks OK, because it contains javascript to fool you by displaying US Bank's URL in the status bar).
I enter the IP address 218.55.62.2 from the bogus URL link into the search field and click Go. That address is in Seoul, Korea. Oops, certainly not US Bank. Let's see what happens if you click on that link in the e-mail, shall we?
Note that it helps if you know some HTML and a little about javascript here. I won't get into all that detail, but here are my findings...
I enter the URL http://218.55.62.2/us2/index.php link into the search field, check the Get Source box, and click Go.
The retrieved HTML code from that site only contains one small javascript. What it does is: It calls the account login javascript at the real US Bank website, but the script actually runs (in your browser) from the site in Korea.
That website in turn, has its own versions of javascripts by the same name, under the same relative paths as those under US Bank's root (such as https://www.usbank.com/).
So, where US Bank's javascript "/js/sub_global/acct_login.js" calls "/cgi_w/cfm/personal/account_access.cfm", what actually runs is:
http://218.55.62.2/cgi_w/cfm/personal/account_access.cfm...
Because it calls "/cgi_w/cfm/personal/account_access.cfm", which is right under http://218.55.62.2/!
Voila, if you are a US Bank customer, and clicked on that link, then entered your user ID and password, these clowns got your user ID and password, to say the least.
By doing Get Source for several of the .js files at US Bank and at the phishing site, I was able to see the similarities (and differences), and follow the sequence of javascript. It's probably not a good idea for me to show you all the code here, so I haven't. I will add this comment however:
This security hole at US Bank's website can be fixed by replacing the relative paths in their javascript calls with fully qualified paths. Then, these kinds of hijacks couldn't work. As of the time of this writing, the security holes are still there. I wonder if anyone who cares actually reads the mail one sends to their "fraud help" address.
This was a lot of fun, and it shows us one way phishing and browser hijacking is done.
Not all of these can be tracked exactly the same way. I'll also note that not many days after I received this one, the same searches resulted in "host not found" etc. These thieves take these bogus sites down as fast as they bring them online. Then they try again with another round of scams.
Be careful out there.
Other Buttons:
[Button]Help: Displays this document in a browser window.
[Button]Exit: Closes the program, and saves all current settings (check boxes, etc.)
[Button]Logo: Displays the "About" box.
I hope you like this software, and come back often to the website. Please tell your friends!
Thanks, and Enjoy!
Support from the Author
If errors or problems occur, please let me know. A box should appear in the event of internal program errors which has a button to connect you with my website. I want to know of any problems you have, as well as suggestions! Several features have been added since the initial release based on feedback from folks like you! You may also e-mail me with the link (animated mailbox) at the end of this guide.
Copyright © 2008 Roosl's Graphic Design - All Rights Reserved
Software, Graphics and Website Design by Roosl's Graphic Design
