[dark335i]

Post from MBWorld (By Karo- http://www.mbworld.org/forums/members/104968-karo.html ):

Quote:

Bottom line is I got an IP address.
Traced it and I got Irvine. Something wasn't right I tracked some more in the packed I was getting a different probe. I scanned the probe I got somewhere in Beverly Hills. This still didn't seem right. Finally I got the packet and the packet was trying to be spoofed.

This idiot probably watched a how to video of hiding your IP. No such thing-unless you hop from proxy to proxy but proxy to proxy to proxy = 28K (worse than 56K dial up).

Anyway somewhere around the line the idiot messed up spoofing the IP.

Bottom line is I tracked the original since the guy was a failure. (By the way thanks to someone here who gave it to me)

1st IP I tracked through a specially crafted packet, I got:
Name: ppp-69-233-95-213.dsl.irvnca.pacbell.net
IP Address: 69.233.95.213
Location: Irvine (33.689N, 117.800W)

On the m5Board a member/mod posted the IP (was different from what I got). Same scenario as first IP (created a packet...) I got.
Name: ppp-69-233-136-20.dsl.irvnca.pacbell.net
IP Address: 69.233.136.20
Location: Irvine (33.689N, 117.800W)

So i'm thinking to myself what a failure. All this time this dumbass is thinking he is spoofing his IP (faking IP) but he really is not. (By the way not really a real way of doing this unless you hack a wireless network) You will always be tracked down.

Now here is what happens. Since he has DSL which is mostly Dynamic IP (does change) other than a business DSL which is static (doesn't change) I thought I was stuck. Until I remembered that for security purposes your ISP doesn't assign the IP to a different user that early. So this is when I sent those packets and this is how I got a return back of who was connected.

So I inputted the lattitude and longitude in googlemap.

I found 2 Mercedes pics withing that block.

The latt and long says the address is:
15 Sparrowhawk
Irvine, CA 92604

Mercedes 1 (http://maps.google.com/maps?f=q&sour...04.61,,0,24.11)
Mercedes 2 (http://maps.google.com/maps?f=q&sour...223.75,,0,24.8)


So my conclusion is the idiot lives somewhere around here. He probably visited MBWorld before (due to the Mercedes I saw).

I am pretty certain the guy lives somewhere here. One way to find out is if anyone lives in that area to go scope it out. We would be looking for a Goofy looking weird kid.

Or the 100% sure proof plan would be to report it to SBS/AT&T with the IP and the specific Date/Time.

I am not a lawyer so I don't know the legal actions MBWorld can take but there you go. You have info on the Idiot.

"Hey dude check out my new IP spoofer I'm gonna go terrorise the forums and not get caught"

"Ohh sheyt man they found my IP"

Link to MBWorld: http://www.mbworld.org/forums/off-to...s-over-pm.html
Seems like MBWorld and M5Board are working together on this. Maybe Bimmerpost can help, also?! Hopefully someone shows up at the guy's door to say hi.

[radix]

This guy makes no sense. What he posted isn't evidence of shit. For all he knows that particular IP (either of them) could very well have been the last hop for a packet routed through the Tor network, i.e. one or both of those IPs was a Tor router node. Furthermore, he didn't even "find" the culprit.

[dark335i]

Quote:

Originally Posted by radix

This guy makes no sense. What he posted isn't evidence of shit. For all he knows that particular IP (either of them) could very well have been the last hop for a packet routed through the Tor network, i.e. one or both of those IPs was a Tor router node. Furthermore, he didn't even "find" the culprit.

Me? Did you read through the thread on MBWorld?

This is what the guy did to find the IP, you can say if you think his method is correct or not:

Posted by Karo (http://www.mbworld.org/forums/member...68-karo.html):

Quote:

Easiest way to find out where the IP address is from (general).

go to Command Prompt and type "tracert {ip addres}"

Command prompt is the black screen in windows (Start>Run>Type "CMD")

tracert = Trace Route

[persian54]

I am too lazy to read all those posts lol

[radix]

Quote:

Originally Posted by dark335i

Me? Did you read through the thread on MBWorld?

No, not you. Reading the thread now. Another thing I find funny is that the guy assumes that the person making the threats actually has a Mercedes.

[Blake]

lol owned

[dark335i]

Quote:

Originally Posted by radix

No, not you. Reading the thread now. Another thing I find funny is that the guy assumes that the person making the threats actually has a Mercedes.

I updated my second post.

[radix]

Quote:

Originally Posted by dark335i

Me? Did you read through the thread on MBWorld?

This is what the guy did to find the IP, you can say if you think his method is correct or not:

Posted by Karo (http://www.mbworld.org/forums/member...68-karo.html):

No, that is not correct. That method only traces the route from your machine to an IP address. For all you know that IP address could have been a member of the Tor network at the time, and possibly could have been the last hop in the network. I'm also curious how he got the culprits IP address out of a PM in the first place since he is not a mod AFAICT.

[dark335i]

Quote:

Originally Posted by radix

No, that is not correct. That method only traces the route from your machine to an IP address. For all you know that IP address could have been a member of the Tor network at the time, and possibly could have been the last hop in the network. I'm also curious how he got the culprits IP address out of a PM in the first place since he is not a mod AFAICT.

It says in the OP:

Quote:

All of them originated from the same IP: 69.233.95.213

[radix]

Quote:

Originally Posted by dark335i

Pretty sure he got it from the mod. They were working together on this.

Yeah, just reread the first post. My bad.

[dark335i]

Quote:

Originally Posted by radix

Yeah, just reread the first post. My bad.

[jpsum]

no proof. Fail.

[radix]

Quote:

Originally Posted by dark335i

It says in the OP:

It still doesn't mean that machine was not an anonymous proxy, or part of the Tor network at the time, or part of a bot network for that matter.

[dark335i]

Quote:

Originally Posted by jpsum

no proof. Fail.

What do you mean? Are you saying because they didn't get the actual person...yet!

[doba_s]

i got pm like that too ... and PG got one as well

WTF is the purpose of doing that ?

[shahsk30]

Quote:

Originally Posted by doba_s

i got pm like that too ... and PG got one as well

WTF is the purpose of doing that ?

people have no lives

[radix]

Quote:

Originally Posted by dark335i

What do you mean? Are you saying because they didn't get the actual person...yet!

I think what he means is that plugging an IP a mod gives you into geobytes, and running traceroute on the same IP doesn't prove anything. His use of google maps to find houses with MBs is also just more guessing. Considering that the author of those PMs has been frequenting several automotive forums, it's unlikely that he actually has an MB. What I see so far is just conjecture and speculation.

BTW, I'm checking the Tor network right now to see if that IP is presently routing. If it isn't, it still doesn't mean it wasn't, or that it wasn't part of a different anonymizing network.

[Phiberglass]

And also, the 'death threats' are sent blinding as spam, who the fuck cares.

[Kroy]

Wonder where this will lead...

[dark335i]

Quote:

Originally Posted by shahsk30

people have no lives

[AllydNYC]

OMG I always wanted to say this:

"And the plot thickens"

And use this:.

[radix]

OK, after reading most of the thread, I see he is using lots of different accounts and IP addresses as per this post:

http://www.mbworld.org/forums/3750344-post74.html

Note the three IP addresses in red.

Quote:

gk88850
psp9850
gik89850
gg4360
69.225.138.39 : adsl-69-225-138-39.dsl.irvnca.pacbell.net

lm88850
204.27.59.66 : Could Not Resolve Hostname ( http://surfbug.info/ proxy)

lx88500
sls200900
sls20090
q234wklawekjfds
ny3550
lk12050
lk10050
klv8850050
kj575
jpicardfan1976
jlgfan888500
jkk4256030
fnjsddfhwafawe4
69.233.95.213 : ppp-69-233-95-213.dsl.irvnca.pacbell.net

Two obviously are from Irvine:

Code:

osx ~ % nslookup 69.225.138.39 
Server:		10.0.0.1
Address:	10.0.0.1#53

Non-authoritative answer:
39.138.225.69.in-addr.arpa	name = adsl-69-225-138-39.dsl.irvnca.pacbell.net.

Authoritative answers can be found from:

osx ~ % nslookup 204.27.59.66 
Server:		10.0.0.1
Address:	10.0.0.1#53

** server can't find 66.59.27.204.in-addr.arpa.: NXDOMAIN

osx ~ % nslookup 69.233.95.213
Server:		10.0.0.1
Address:	10.0.0.1#53

Non-authoritative answer:
213.95.233.69.in-addr.arpa	name = ppp-69-233-95-213.dsl.irvnca.pacbell.net.

Authoritative answers can be found from:

The last one is not:

Code:

osx ~ % whois 204.27.59.66  
Joe's Datacenter, LLC JOESDC-02 (NET-204-27-56-0-1)
                                  204.27.56.0 - 204.27.63.255
Chee Mang Chan JDC-CUS-1412 (NET-204-27-59-64-1)
                                  204.27.59.64 - 204.27.59.71

# ARIN WHOIS database, last updated 2009-11-04 20:00
# Enter ? for additional hints on searching ARIN's WHOIS database.

this IP is located in Melbourne, Australia according to geobytes, but as you can see from the whois output, it more than likely belongs to Joe's Datacenter. Joe's Datacenter is located in Kansas City:

http://www.joesdatacenter.com/

If I check the tor network right now, I see several nodes operating in Kansas City, one of them with IP address 204.27.58.226.

If I do a whois on that IP address, guess who it belongs to?

Code:

osx ~ % whois 204.27.58.226
Joe's Datacenter, LLC JOESDC-02 (NET-204-27-56-0-1)
                                  204.27.56.0 - 204.27.63.255
Make $ Media JDC-CUS-1474 (NET-204-27-58-224-1)
                                  204.27.58.224 - 204.27.58.239

# ARIN WHOIS database, last updated 2009-11-04 20:00
# Enter ? for additional hints on searching ARIN's WHOIS database.

Joe's Datacenter. What does this mean? Well it could just be coincidence, but in this case, I suspect it's not. The reason I suspect it's not is that it's unlikely that the author of those PMs is in two separate places at once. If it's not, it means whoever sent those messages was almost certainly using Tor when he sent them. Good luck tracing him. The folks at MBWorld are likely WAY off base.