there's people that hacked on my friends accounts and he( using my friends messengers) sends me links to http://jenny_ding32.My-Snappy-Pictures.com/?image=DSC07819.JPG and stuff like that. i like to have his ip. and how would I block it?

I don't have the answer to your question, but you may want to remove that link from your post. That website has some security issues.

I don't have the answer to your question, but you may want to remove that link from your post. That website has some security issues.

its reported and its affecting some people on my massager list ( family, friends and people i know) it should be a warning to others. but i do need to block any more attempts from this guy/girl(s)? so far its 8 people that had there account hacked on my friends list. I need to block that ip looks like

please help

tried netstat tupl|grep tcp
but its not working for those links he has =/ I dont know whos legit on my pidgin anymore. NEED HELP

I'm not sure what messaging protocol the undesirable messages are coming from, and I'm not very familiar with the different messaging protocols, but I believe most do not involve direct communication between two users, but the traffic would be sent/received from/to a server, so you would not be able to determine the hacker's IP address or distinguish between the real users or someone using a stolen password.

i like to have his ip. and how would I block it?

The only way I know where two msn are directly connected is when you transfer a file so, to get an IP, send a file to the victim and check your connections while it is transfering

ZL

Look for the IP or Hostname with port 4443

man which one is it? its from an msn hotmail netstat tupl|grep tcp
tcp 0 0 localhost:16001 localhost:44420 SYN_RECV
tcp 0 0 localhost:16001 localhost:44417 SYN_RECV
tcp 0 0 localhost:16001 localhost:44419 SYN_RECV
tcp 0 0 localhost:16001 localhost:44418 SYN_RECV
tcp 0 0 S0106000d60230d13:43497 px-in-f138.google.c:www ESTABLISHED
tcp 0 0 S0106000d60230d13:43721 buddychat-d01b.blue:aol ESTABLISHED
tcp 21 0 localhost:16001 localhost:34875 CLOSE_WAIT
tcp 0 0 S0106000d60230d13:49987 oam-d08b.blue.aol.c:aol ESTABLISHED
tcp 0 0 S0106000d60230d13:52158 cs2.msg.cnb.yahoo.:mmcc ESTABLISHED
tcp 0 21 localhost:44418 localhost:16001 FIN_WAIT1
tcp 21 0 localhost:16001 localhost:34876 CLOSE_WAIT
tcp 0 21 localhost:33841 localhost:16001 FIN_WAIT1
tcp 0 21 localhost:44417 localhost:16001 FIN_WAIT1
tcp 0 0 S0106000d60230d13:58703 bos-m002c-sdr3.blue:aol ESTABLISHED
tcp 21 0 localhost:16001 localhost:34874 CLOSE_WAIT
tcp 297 0 kirk-desktop:4713 kirk-desktop:54017 CLOSE_WAIT
tcp 0 0 S0106000d60230d13:40833 74.125.155.:xmpp-client ESTABLISHED
tcp 297 0 kirk-desktop:4713 kirk-desktop:54067 CLOSE_WAIT
tcp 0 0 S0106000d60230d13:46337 by2msg1104010.gate:msnp ESTABLISHED
tcp 0 21 localhost:44420 localhost:16001 FIN_WAIT1
tcp 0 0 S0106000d60230d13:43723 buddychat-d01b.blue:aol ESTABLISHED
tcp 0 21 localhost:44419 localhost:16001 FIN_WAIT1
tcp 297 0 kirk-desktop:4713 kirk-desktop:55679 CLOSE_WAIT
tcp 0 0 S0106000d60230d13:37306 205.188.5.213:aol ESTABLISHED
tcp 297 0 kirk-desktop:4713 kirk-desktop:55680 CLOSE_WAIT
tcp 21 0 localhost:16001 localhost:34879 CLOSE_WAIT
tcp 297 0 kirk-desktop:4713 kirk-desktop:54018 CLOSE_WAIT
tcp 21 0 localhost:16001 localhost:34877 CLOSE_WAIT
tcp 297 0 kirk-desktop:4713 kirk-desktop:55074 CLOSE_WAIT
tcp 0 21 localhost:33842 localhost:16001 FIN_WAIT1
tcp 0 21 localhost:33838 localhost:16001 FIN_WAIT1
tcp 133 0 localhost:16001 localhost:55263 CLOSE_WAIT
tcp 21 0 localhost:16001 localhost:34878 CLOSE_WAIT
tcp 0 560 S0106000d60230d13:51319 by2msg4020605.phx.:msnp ESTABLISHED
tcp 0 0 S0106000d60230d13:57286 by2msg3020415.phx.:msnp ESTABLISHED
tcp 0 0 S0106000d60230d13:52022 204.16.33.188:msnp ESTABLISHED
kirk@kirk-desktop:~$ netstat tupl|grep tcp

tcp 0 0 localhost:16001 localhost:44420 SYN_RECV
tcp 0 0 localhost:16001 localhost:44419 SYN_RECV
tcp 0 0 localhost:16001 localhost:44422 SYN_RECV
tcp 0 0 localhost:16001 localhost:44421 SYN_RECV
tcp 0 0 S0106000d60230d13:43497 px-in-f138.google.c:www ESTABLISHED
tcp 0 0 S0106000d60230d13:43721 buddychat-d01b.blue:aol ESTABLISHED
tcp 21 0 localhost:16001 localhost:34875 CLOSE_WAIT
tcp 0 0 S0106000d60230d13:49987 oam-d08b.blue.aol.c:aol ESTABLISHED
tcp 0 0 S0106000d60230d13:52158 cs2.msg.cnb.yahoo.:mmcc ESTABLISHED
tcp 0 21 localhost:44418 localhost:16001 FIN_WAIT1
tcp 21 0 localhost:16001 localhost:34876 CLOSE_WAIT
tcp 0 21 localhost:44417 localhost:16001 FIN_WAIT1
tcp 0 0 S0106000d60230d13:58703 bos-m002c-sdr3.blue:aol ESTABLISHED
tcp 21 0 localhost:16001 localhost:34874 CLOSE_WAIT
tcp 297 0 kirk-desktop:4713 kirk-desktop:54017 CLOSE_WAIT
tcp 0 0 S0106000d60230d13:40833 74.125.155.:xmpp-client ESTABLISHED
tcp 0 21 localhost:44422 localhost:16001 FIN_WAIT1
tcp 297 0 kirk-desktop:4713 kirk-desktop:54067 CLOSE_WAIT
tcp 0 0 S0106000d60230d13:46337 by2msg1104010.phx.:msnp ESTABLISHED
tcp 0 21 localhost:44420 localhost:16001 FIN_WAIT1
tcp 0 21 localhost:44421 localhost:16001 FIN_WAIT1
tcp 0 0 S0106000d60230d13:43723 buddychat-d01b.blue:aol ESTABLISHED
tcp 0 21 localhost:44419 localhost:16001 FIN_WAIT1
tcp 297 0 kirk-desktop:4713 kirk-desktop:55679 CLOSE_WAIT
tcp 0 0 S0106000d60230d13:37306 205.188.5.213:aol ESTABLISHED
tcp 297 0 kirk-desktop:4713 kirk-desktop:55680 CLOSE_WAIT
tcp 21 0 localhost:16001 localhost:34879 CLOSE_WAIT
tcp 297 0 kirk-desktop:4713 kirk-desktop:54018 CLOSE_WAIT
tcp 21 0 localhost:16001 localhost:34877 CLOSE_WAIT
tcp 297 0 kirk-desktop:4713 kirk-desktop:55074 CLOSE_WAIT
tcp 133 0 localhost:16001 localhost:55263 CLOSE_WAIT
tcp 21 0 localhost:16001 localhost:34878 CLOSE_WAIT
tcp 0 0 S0106000d60230d13:51319 by2msg4020605.phx.:msnp ESTABLISHED
tcp 0 0 S0106000d60230d13:57286 by2msg3020415.phx.:msnp ESTABLISHED
tcp 0 0 S0106000d60230d13:52022 204.16.33.188:msnp ESTABLISHED
kirk@kirk-desktop:~$
kirk@kirk-desktop:~$ netstat tupl|grep tcp
tcp 0 0 localhost:16001 localhost:44423 SYN_RECV
tcp 0 0 localhost:16001 localhost:44424 SYN_RECV
tcp 0 0 S0106000d60230d13:43497 px-in-f138.google.c:www ESTABLISHED
tcp 0 0 S0106000d60230d13:43721 buddychat-d01b.blue:aol ESTABLISHED
tcp 21 0 localhost:16001 localhost:34875 CLOSE_WAIT
tcp 0 0 S0106000d60230d13:49987 oam-d08b.blue.aol.c:aol ESTABLISHED
tcp 0 0 S0106000d60230d13:52158 cs2.msg.cnb.yahoo.:mmcc ESTABLISHED
tcp 21 0 localhost:16001 localhost:34876 CLOSE_WAIT
tcp 0 0 S0106000d60230d13:58703 bos-m002c-sdr3.blue:aol ESTABLISHED
tcp 0 21 localhost:44423 localhost:16001 FIN_WAIT1
tcp 21 0 localhost:16001 localhost:34874 CLOSE_WAIT
tcp 297 0 kirk-desktop:4713 kirk-desktop:54017 CLOSE_WAIT
tcp 0 0 S0106000d60230d13:40833 74.125.155.:xmpp-client ESTABLISHED
tcp 0 21 localhost:44422 localhost:16001 FIN_WAIT1
tcp 297 0 kirk-desktop:4713 kirk-desktop:54067 CLOSE_WAIT
tcp 0 0 S0106000d60230d13:46337 by2msg1104010.gate:msnp ESTABLISHED
tcp 0 21 localhost:44420 localhost:16001 FIN_WAIT1
tcp 0 21 localhost:44424 localhost:16001 FIN_WAIT1
tcp 0 21 localhost:44421 localhost:16001 FIN_WAIT1
tcp 0 0 S0106000d60230d13:43723 buddychat-d01b.blue:aol ESTABLISHED
tcp 0 21 localhost:44419 localhost:16001 FIN_WAIT1
tcp 297 0 kirk-desktop:4713 kirk-desktop:55679 CLOSE_WAIT
tcp 0 0 S0106000d60230d13:37306 205.188.5.213:aol ESTABLISHED
tcp 297 0 kirk-desktop:4713 kirk-desktop:54018 CLOSE_WAIT
tcp 21 0 localhost:16001 localhost:34877 CLOSE_WAIT
tcp 297 0 kirk-desktop:4713 kirk-desktop:55074 CLOSE_WAIT
tcp 133 0 localhost:16001 localhost:55263 CLOSE_WAIT
tcp 21 0 localhost:16001 localhost:34878 CLOSE_WAIT
tcp 0 0 S0106000d60230d13:51319 by2msg4020605.phx.:msnp ESTABLISHED
tcp 0 0 S0106000d60230d13:57286 by2msg3020415.phx.:msnp ESTABLISHED
tcp 0 0 S0106000d60230d13:52022 204.16.33.188:msnp ESTABLISHED

man that command dont work =( the file was 5 mib with msn transfering. and still nothing....

Look for the IP or Hostname with port 4443

i guessing netstat tupl|grep tcp
dosent work

I think this is probably the command you want.
netstat -tupn

Or even better yet, capture ALL the traffic with wireshark or tcpdump, then filter it or search through it later to determine which packets are going to/from the user with a stolen password. However, even if you determine their IP, you won't be able to filter connections from that user.

I think this is probably the command you want.
netstat -tupn

Or even better yet, capture ALL the traffic with wireshark or tcpdump, then filter it or search through it later to determine which packets are going to/from the user with a stolen password. However, even if you determine their IP, you won't be able to filter connections from that user.

man i dont know. :confused: seems ubuntu is bugged =/ netstat -tupn
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:16001 127.0.0.1:55123 SYN_RECV -
tcp 0 0 127.0.0.1:16001 127.0.0.1:55126 SYN_RECV -
tcp 0 0 127.0.0.1:16001 127.0.0.1:55125 SYN_RECV -
tcp 0 0 127.0.0.1:16001 127.0.0.1:55127 SYN_RECV -
tcp 0 0 127.0.0.1:16001 127.0.0.1:55124 SYN_RECV -
tcp 0 21 127.0.0.1:55126 127.0.0.1:16001 FIN_WAIT1 -
tcp 0 0 ****************** 205.188.211.184:5190 ESTABLISHED 22153/pidgin
tcp 21 0 127.0.0.1:16001 127.0.0.1:34875 CLOSE_WAIT -
tcp 0 0 ****************** 205.188.248.151:5190 ESTABLISHED 22153/pidgin
tcp 0 0 ****************** 202.43.216.74:5050 ESTABLISHED 22153/pidgin
tcp 0 21 127.0.0.1:55127 127.0.0.1:16001 FIN_WAIT1 -
tcp 21 0 127.0.0.1:16001 127.0.0.1:34876 CLOSE_WAIT -
tcp 0 0 ****************** 64.12.25.70:5190 ESTABLISHED 22153/pidgin
tcp 21 0 127.0.0.1:16001 127.0.0.1:34874 CLOSE_WAIT -
tcp 297 0 127.0.1.1:4713 127.0.1.1:54017 CLOSE_WAIT -
tcp 0 0 ****************** 74.125.155.125:5222 ESTABLISHED 22153/pidgin
tcp 0 21 127.0.0.1:43966 127.0.0.1:16001 FIN_WAIT1 -
tcp 0 21 127.0.0.1:55124 127.0.0.1:16001 FIN_WAIT1 -
tcp 297 0 127.0.1.1:4713 127.0.1.1:54067 CLOSE_WAIT -
tcp 0 0 ****************** 207.46.110.21:1863 ESTABLISHED 22153/pidgin
tcp 0 0 ****************** 205.188.211.184:5190 ESTABLISHED 22153/pidgin
tcp 297 0 127.0.1.1:4713 127.0.1.1:55679 CLOSE_WAIT -
tcp 0 21 127.0.0.1:55123 127.0.0.1:16001 FIN_WAIT1 -
tcp 0 0 ****************** 205.188.5.213:5190 ESTABLISHED 22153/pidgin
tcp 297 0 127.0.1.1:4713 127.0.1.1:55680 CLOSE_WAIT -
tcp 21 0 127.0.0.1:16001 127.0.0.1:34879 CLOSE_WAIT -
tcp 297 0 127.0.1.1:4713 127.0.1.1:54018 CLOSE_WAIT -
tcp 21 0 127.0.0.1:16001 127.0.0.1:34877 CLOSE_WAIT -
tcp 297 0 127.0.1.1:4713 127.0.1.1:55074 CLOSE_WAIT -
tcp 0 0 ****************** 74.125.155.102:80 ESTABLISHED 4389/firefox
tcp 133 0 127.0.0.1:16001 127.0.0.1:55263 CLOSE_WAIT -
tcp 21 0 127.0.0.1:16001 127.0.0.1:34878 CLOSE_WAIT -
tcp 0 21 127.0.0.1:55125 127.0.0.1:16001 FIN_WAIT1 -
tcp 0 0 ****************** 64.4.34.200:1863 ESTABLISHED 22153/pidgin
tcp 0 0 ****************** 74.125.127.139:80 ESTABLISHED 4389/firefox
tcp 0 0 ****************** 204.16.33.188:1863 ESTABLISHED 22153/pidgin

I thought you had a direct connection like pm. Then it's usually 4443. Ya try a sniffer.

I thought you had a direct connection like pm. Then it's usually 4443. Ya try a sniffer.yeah downloading wireshark. i think i did have direct connection on a pm. hes sending files through his msn massager

I thought you had a direct connection like pm. Then it's usually 4443. Ya try a sniffer.
lol wireshark is confusing. how do I locate the ip? it seems like it requires an ip like net work tools

man i dont know. :confused: seems ubuntu is bugged =/

Bugged? I see several connections with pidgin.
205.188.211.184:5190 = AOL
205.188.248.151:5190 = AOL
202.43.216.74:5050 = Yahoo
64.12.25.70:5190 = AOL
74.125.155.125:5222 = Google
207.46.110.21:1863 = Microsoft
205.188.211.184:5190 = AOL
205.188.5.213:5190 = AOL
64.4.34.200:1863 = Hotmail
204.16.33.188:1863 = MySpace

There doesn't appear to be a direct connection to any user from pidgin at the moment you ran that command.

Bugged? I see several connections with pidgin.
205.188.211.184:5190 = AOL
205.188.248.151:5190 = AOL
202.43.216.74:5050 = Yahoo
64.12.25.70:5190 = AOL
74.125.155.125:5222 = Google
207.46.110.21:1863 = Microsoft
205.188.211.184:5190 = AOL
205.188.5.213:5190 = AOL
64.4.34.200:1863 = Hotmail
204.16.33.188:1863 = MySpace

There doesn't appear to be a direct connection to any user from pidgin at the moment you ran that command.not true, and yes its bugged or not working in that way. i ran that command lots of times during a period 10mins. its long process when your in massager to download 5 mib. so i had a huge window of opportunity.

man that command dont work =( the file was 5 mib with msn transfering. and still nothing....

As wojox said, you should look for port 4443 but it is not the only one, it may use other ports, look on the web which ports your msn client uses and look for the IP connected through that port while you transfer that file or at least look for the logs after transfering.

ZL

forget it. theres no solution to this. im done. hope nothing happens to you guys thats all. good luck

not true, and yes its bugged or not working in that way. i ran that command lots of times during a period 10mins. its long process when your in massager to download 5 mib. so i had a huge window of opportunity.

http://developer.pidgin.im/wiki/Protocol%20Specific%20Questions#Whyarefiletransfer ssoslow

MSN file transfer support is limited to the proxied version of file transfer support in the protocol. This means that the files are sent to MSN's servers, then the server sends the data to the other user. We don't know if or when we will ever support any of the peer-to-peer file transfer methods available in the MSN protocol.

As I said, there was no direct connection to the user. You were connected to the same MSN server as they were, and the MSN server proxied the file transfer. Ubuntu works fine. You can't get their IP from a MSN file transfer in pidgin.

http://developer.pidgin.im/wiki/Protocol%20Specific%20Questions#Whyarefiletransfer ssoslow

As I said, there was no direct connection to the user. You were connected to the same MSN server as they were, and the MSN server proxied the file transfer. Ubuntu works fine. You can't get their IP from a MSN file transfer in pidgin.

right, so it doesn't work in that way like i said. how else are you going to transfer files with out a website? i used to know of a way to get there ip from hotmail email, but i haven't used that in awhile and since then msn.com has been updated so dont know how anymore. those commands are pointless in massager...

netstat tupl|grep tcp netstat -tupn

right, so it doesn't work in that way like i said. how else are you going to transfer files with out a website? i used to know of a way to get there ip from hotmail email, but i haven't used that in awhile and since then msn.com has been updated so dont know how anymore. those commands are pointless in massager...

netstat tupl|grep tcp

Some e-mail servers will add the user's IP address to the e-mail headers. I believe most don't, though. I don't know about hotmail. I wouldn't want to use an e-mail service that revealed my home IP.

The best way I can think of to retrieve a person's IP address is to setup a web server, then trick them into visiting it. You can try sending them an HTML-encoded e-mail with an embedded image (http://[your ip]/fakeimage.jpg) which would trick them into sending a request for the image to your server, but most e-mail client don't display external images until the user allows it. You might have more luck sending them a link, but I don't know what kind of hacker would click on a link in an e-mail to an IP address or free domain.

Do you happen to have a website or blog you can trick them into visiting?

Some e-mail servers will add the user's IP address to the e-mail headers. I believe most don't, though. I don't know about hotmail. I wouldn't want to use an e-mail service that revealed my home IP.

The best way I can think of to retrieve a person's IP address is to setup a web server, then trick them into visiting it. You can try sending them an HTML-encoded e-mail with an embedded image (http://[your ip]/fakeimage.jpg) which would trick them into sending a request for the image to your server, but most e-mail client don't display external images until the user allows it. You might have more luck sending them a link, but I don't know what kind of hacker would click on a link in an e-mail to an IP address or free domain.

Do you happen to have a website or blog you can trick them into visiting?sigh, no