View Full Version : How to determine someone's IP address?

02-02-2011, 04:58 PM
1) Script Title: .htaccess Banning

2) Script URL (on DD): http://tools.dynamicdrive.com/userban/

3) Describe problem: There is a particular person I wish to ban from my website. How do I find out what their IP address is in order to ban it? Thanks.

02-02-2011, 05:25 PM
There are a number of ways you can get this information. One is simply using $_SERVER['REMOTE_ADDR'] with PHP and inserting there IP into the database. Just redirect the person to a page with something like:

file_put_contents('banned.txt', $_SERVER['REMOTE_ADDR']);

02-02-2011, 05:31 PM
Hi Nile, nice to see you are still here. :) Thanks for how to store the IP's, but how do I tell it is them in the first place? I might be able to tell by frequency of visits, but is there any way to know for sure who is at a particular IP address?

02-02-2011, 05:34 PM
:/ Not really - is the site you're talking about a register-type site(where you have to register and become a user)?

02-02-2011, 05:36 PM
I might do that eventually, but right now the site is open to anyone who goes there.

02-02-2011, 05:54 PM
You will need to make that person access your page in a way that you can identify it as that person. Your server logs might help with this (if you can access them).
If you can somehow make them load that page, it's easy. But otherwise, it will be difficult.

By "particular person", how do you identify them? If they have a user account, it often includes a stored IP address. If not, you could add one to the account in the database (a field, updated each time they load a page) in order to identify them. Once you have the IP, just ban using .htaccess.

If you don't have user accounts, then you could create pseudo user accounts by creating "users" based on IP address. The username will be the IP and each time they load a page you can update the table, including information like how many pages they've loaded. If this info could help you identify the problematic IP then that will work.

You could also eliminate those accounts you trust by telling them a password, if this is for a close group of friends. If it's meant to be public that won't work. Then find those that don't enter the password and eliminate them.

However, banning without accounts is a messy process and probably not reliable. Banning by IP is especially bad because you might be blocking a library or other shared IP, and the user can just access your account some other way-- and IPs rotate every once in a while.

But most importantly, how do you know you want to ban this individual? There is likely some trace available to you that can point to the IP.

Finally, you can attempt to understand what the IP means by looking up a "who-is" query (just google that) and you will find their approximate location and service provider. A service like MaxMind GeoIP will give you a more specific guess about exact location. Of course that won't prove anything, but if you have many visitors from the US and one visitor from Australia (just a random example), that might be enough to give you a hint that that user is the spammer (or whatever the problem is), since they don't match the other demographics. But be careful with that of course.

02-02-2011, 07:13 PM
I do know this person's website and where their hosting account is but not their ISP. Even if I knew the ISP, they are always set for DHCP by default. Would that help?

Most visitors would arrive at the home page so would I put Nile's code on the home page but load the variable into a database with the date or something?

file_put_contents('banned.txt', $_SERVER['REMOTE_ADDR']);

02-02-2011, 07:40 PM
The IP address is only visible to you when they view a page on your server. It's not something you can determine in other ways (like from their site). Again, you need to determine how you know (some behavior), then use that to find the IP.

Nile's code will not help to differentiate users. You can use $_SERVER['REMOTE_ADDR'] and store that in a database, correlated to page views, but you're going to need to make the connection in some way that can be translated into numbers your server can see.

Why do you want to ban them? Are they taking too many resources? That's something you can track.

02-02-2011, 08:09 PM
I spent several years creating the content for my site and the last time I had the site up, this person stole all my content and put up her version of my site. She would daily watch my site and as soon as I added something, she would put it on her site. I just don't want to even think about this creepy person.

02-02-2011, 08:59 PM
That's unfortunately very difficult to track. Most likely they took content by cutting and pasting and while it might be (theoretically) possible to have some Javascript on the page to catch this, it would be difficult and they might be stealing the content another way (such as just viewing the pages and choosing "save as..."). Since there is no specific event and their traffic will appear identical to other visitors, I'm not sure if there's a way you can find the IP address.

However, there is another way to approach the situation. What they are doing is illegal and you can report the copyright infringement to their host. In fact, you might be able to identify them personally by looking at the registration information for the domain name, or if they have a shared address (like at the hosting company) you can ask the host. That won't stop them from trying this again in the future, but if you make their job stealing your content more difficult, it might be enough to stop them from doing it.

You could block hotlinking to your pages if they are using images or other files directly from your site. That's probably a minor issue though.

In this case, even making user accounts (and making login required) would not solve the problem because you wouldn't know which user is responsible. If your site gets a very small number of visitors you might be able to deduce who is not a legitimate visitor by verifying the others, but that's a lot of work for you.

The only way I can think of to figure out this IP would be to actually temporarily compromise your site and create some sort of trap. For example, somehow include a reference to the IP address in the page's content. Of course you'd want to make it subtle and hope they don't manually remove that while stealing your content. Once the content is stolen, find it, identify the IP and go from there.
Actually, the one way that would likely work would be to rotate the content often. Keep logs on a rotating basis. Then when the stolen content appears, keep that log because you know that among those logged IPs is the thief. Then repeat this until you have a few lists of IPs that visited your site during the time the content was stolen. Cross reference these lists until you have only a few overlapping IPs-- eventually you'll find it.

But unfortunately none of that is easy or even guaranteed to work. I'd really suggest contacting the host for the website. Usually they will remove something like that.

02-02-2011, 11:34 PM
Thanks, Daniel. Yeah, she just downloaded the whole site using 'Save As' with all the images and everything. At first she had "Figures courtesy of My Name" but I did not want my name on her site so she removed my name but not the content. I just hate having to waste more time on someone of so little integrity.

I recently received email from her. Would her IP address be in the headers anywhere?

02-03-2011, 12:11 AM
It might be if it was sent from her computer (using a desktop program like Outlook or apple's Mail), but if it was sent through a web service like gmail or hotmail, then it won't be. I'm not sure if the IP is even included in the headers, but you can certainly take a look. IPs are obvious-- 4 numbers 1-3 digits each, separated by periods. If you see an IP it's probably their IP, since a server (like gmail's or hotmail's) will be a domain name instead. Of course blocking that may not completely stop everything, but it would be a start. You might want to do a lookup on the IP if you find one to make sure you're not accidentally blocking gmail or hotmail, etc. (If it resolves to an ISP rather than a big company name, it's probably a personal IP).

02-04-2011, 02:20 AM
I found this in the headers...

from user-118btj1.cable.mindspring.com ([] helo=[]) by gemini.hmdnsgroup.com with esmtpa (Exim 4.69)

Right after the above it gives her domain name. I looked up mindsping and it seems to be a dialup internet provider. The email is coming from her domain name email, but the IP of her website doesn't really help me with the IP of her router. Even if I got her IP, how do I do a lookup on the IP? They do it on Law & Order all the time but maybe that is just TV. Thanks for your help. :)

02-04-2011, 02:47 AM
That's a good start. One problem is this: dialup IPs rotate. They often stay within a fairly limited range, but they rotate through those IPs for all of their clients (or at least for some within a group). I don't know the details, but basically blocking that IP probably won't do anything. Blocking that range, 66.* or 66.133.* or 66.133.246.* might help broaden the effectiveness though.

The 192 address is part of a set of reserved local addresses, so that's from an internal network and not something that will (or even could) be a visitor to your site.

To look up an IP you can just google "IP lookup", "IP whois" or "IP tracker" or some variation. There are lots of free sites and they work, though they have ads and limit the number of requests per day and/or block automated requests.

Looking up that IP shows the ISP is earthlink and the location is Honolulu, Hawaii. (That's an approximation, so anywhere within the state or service range of that station is possible.) Your location is listed as Hawaii, so maybe this is your IP from the headers? If not, it appears that you're likely nearby.... small world, I guess...

Since this might be too complicated, I still think your best option will be to contact the host for this person's website and inform them of the copyright abuse. They will take that seriously and shut down the account. (If they don't, you could even pursue legal action.) To find the host, you can browse the site for any clues and if not you can do a "whois" search for the domain name and it'll pull up the host's servers in the list.

02-07-2011, 07:30 PM
I know exactly where this person lives... at the end of my street. Does that help? All the ISPs route through Honolulu which is on Oahu. Maui is a different island about 35 minutes away by air.

02-07-2011, 07:42 PM
That's a very strange situation then. That in fact looks like the IP so you should be able to block it. That's one problem solved.
But since this seems like a bigger issue than just blocking an IP, I'd recommend still trying to contact their host to take down any copies of your website, and potentially even getting the police or other authorities involved: living in proximity to someone changes the situation significantly from a (more or less) anonymous relationship on the internet.

You have every right to protect your content, though it will be very difficult to do it by only technical means, like blocking IPs.

One other complication is that if you do happen to be using the same ISP, your IPs might often overlap and you might block yourself as much as you block them. You might otherwise try to block Hawaiian IPs (using geo-location technology) but obviously you'll be getting many Hawaiian visitors (including yourself) so that isn't going to work. Finally, since you know the actual location of this person, you can use that to eliminate non-matching IPs: if an IP is not from Hawaii, then it is not this person. That may significantly shorten your list of visitors so you could figure out which IPs are being used to steal content and block those, using the methods described earlier. But again, it might be very hard to separate yours from that list.

02-10-2011, 06:45 PM
I went to whoisxy.com but don't see how to do it. I can get the IP address for my site and it is very different from the IP address of my router, so I am sure her site's IP address is very different from her router IP address. Please be more explicit about what you are suggesting I do. Thanks.

02-11-2011, 12:29 AM
You are correct that there are two different IP addresses. (In fact, they probably exist in groups, but for simplicity I will assume they don't rotate or change at all.)

She has a personal IP address, and this is likely where that email was sent from. This is also the one that is hard to find. My guess, and this is only a guess, is that she steals your information using her personal computer, at home, from this IP. Of course in reality it might be more complex, and maybe she does it from her cell phone or at work, but regardless it's likely a personal IP. Block this from your site, and she will no longer be able to access it to steal anything. Of course that doesn't eliminate alternative computers/internet connections she may have available.
(Note: I'm simplifying this a bit: an ISP provides a single IP to a customer, and a router splits this between computers. To the outside world, the entire network is a single IP, so don't worry about anything beyond her modem-- the initial connection to the outside world, whether or not there's a router or a single computer within the network of that modem.)

Her server has an IP as well. This IP is easy to find: look up the domain name using a whois service, or ping it, etc., and you'll find it (it depends on the service and exactly how you locate it, but it's possible). It also is less likely to change often compared to a personal IP. If you block this IP then you will block any automated requests such as a PHP script that automatically steals content from your site. I'm guessing this is not the case, but it is very easy to block. It won't solve anything about existing content or indirect methods via a personal IP.
(In fact, you could actually serve different content to this IP if it really is stealing through an automated process, such as the repeated phrase "Copyright infringement attempted. Please visit mysite.com for the original content.")

Honestly, I'm not sure what you should do. I'd suggest a non-technical response such as reporting her to her host and/or the police, but beyond that blocking both her personal IP and site's IP is not a bad idea.