find real ip address of user behind proxy - PHP Server Side Scripting forum at WebmasterWorld - WebmasterWorld

Forum Moderators: coopster

Message Too Old, No Replies

find real ip address of user behind proxy

unmask proxy to find real user ip

phparion

10:21 am on Oct 20, 2017 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

hi

a user is doing malicious things on my application. he always comes with "google proxy" pointing to USA location.

I want to find his real ip to check his real location. i have tried working with x-forwarded header etc as following


function getrealip()
{
 if (isset($_SERVER)){
if(isset($_SERVER["HTTP_X_FORWARDED_FOR"])){
$ip = $_SERVER["HTTP_X_FORWARDED_FOR"];
if(strpos($ip,",")){
$exp_ip = explode(",",$ip);
$ip = $exp_ip[0];
}
}else if(isset($_SERVER["HTTP_CLIENT_IP"])){
$ip = $_SERVER["HTTP_CLIENT_IP"];
}else{
$ip = $_SERVER["REMOTE_ADDR"];
}
}else{
if(getenv('HTTP_X_FORWARDED_FOR')){
$ip = getenv('HTTP_X_FORWARDED_FOR');
if(strpos($ip,",")){
$exp_ip=explode(",",$ip);
$ip = $exp_ip[0];
}
}else if(getenv('HTTP_CLIENT_IP')){
$ip = getenv('HTTP_CLIENT_IP');
}else {
$ip = getenv('REMOTE_ADDR');
}
}
return $ip; 
}


$MyipAddress = getrealip();
echo $MyipAddress;

but it is always showing proxy ip. i tried visitng my own url that spits out visitor ip using different proxy sites, it does not show my real ip. somebody said to use SSL as it can block proxy etc.

I want to know if there is any way to find real ip behind proxy using php or any other technology. i am even ready to pay/buy scripts etc to find it.

thank you

keyplyr

11:26 am on Oct 20, 2017 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

AFAIK you can only retrieve the IP address sent to the server.

phparion

11:40 am on Oct 20, 2017 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

even beyond php scope its not possible? any server side solution or any paid service that can query proxy servers databases?

neroux

5:55 pm on Oct 20, 2017 (gmt 0)

The code you posted relies on the proxy passing the client's ip address. Whether that happens is entirely up to the proxy configuration. Also, it can be easily faked - either over a direct connection or even over a proxy, if the latter does not explicitely set or check that header.

Even though far from being reliable, you could try to exploit some WebRTC vulnerability to determine the client's actual IP address - [thehackernews.com ].

Alternatively, as you already mentioned, you could also use one of those IP address database that contain proxy and/or data centre addresses. Some of them are free, others paid and their reliability will also certainly vary.

As far as SSL (or better TLS) is concerned, that is a completely different topic and won't help you in this case.

lucy24

8:35 pm on Oct 20, 2017 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

AFAIK you can only retrieve the IP address sent to the server.

Some law-abiding proxies--if that isn't an oxymoron--include an X-Forwarded-For header. (But what are the commas doing? Or is that a decimal-separator mixup and it was supposed to be . period?)

Some non-law-abiding proxies include an X-Forwarded-For header that contains something other than an IP address. They seem to be especially fond of the single word �unknown�, which strikes me as worse than not sending the header at all.

:: idly wondering what, if anything, �::ffff:206.78.150.abc� is supposed to mean (the �abc� is my obfuscation) ::

keyplyr

8:47 pm on Oct 20, 2017 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

An X-Forwarded-For header *is* "the IP address sent to the server." The request header is sent to the server. That field may contain a different IP address than the requesting IP address, but it is still information sent to the server.

phparion

9:13 pm on Oct 20, 2017 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

Is there any 3rd party service that i can use on-the-fly to tell me real ip of the visitor who visits a page on my site using a proxy?

whitespace

9:22 pm on Oct 20, 2017 (gmt 0)

10+ Year Member

Top Contributors Of The Month

include an X-Forwarded-For header. (But what are the commas doing?

The X-Forwarded-For header can contain multiple IP addresses, comma separated, depending on the number of proxy servers the request passes through. Each proxy server "should" add its IP address to the list. The first IP address "should" be the original client's IP address. But even well-intentioned proxy servers can get it wrong and prefix the IP address instead of appending it.

You could examine the entire $_SERVER superglobal in case a non-standard header is set. (But, as mentioned, this is dependent on the proxy "being nice" and forwarding the client's IP address in some way.)

If you want to block this user, it may be sufficient to block based on some other element of this request, or even the proxy as a whole?!

phparion

9:28 pm on Oct 20, 2017 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

I dont want to block him. I want to find his physical location. I want his real ip

phparion

9:30 pm on Oct 20, 2017 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

At this moment the ip i get from him trace back to "google proxy" location US, California

whitespace

9:42 pm on Oct 20, 2017 (gmt 0)

10+ Year Member

Top Contributors Of The Month

Is that just from using the function above or have you examined the entire request? The function you posted above makes several assumptions. I would check the entire $_SERVER array for IP addresses and test them all.

But it may not be possible to get the client's IP address from the request that hits your server. If they are using an anonymous proxy, then that's kinda the point.

phparion

9:48 pm on Oct 20, 2017 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

I have studied full request. There must be a way to break into proxy. To do some reverse engineering and breaks the proxy packet. Proxy request must be done on fly and the session must keep real user info somewhere.

lucy24

1:27 am on Oct 21, 2017 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

can contain multiple IP addresses, comma separated

Whoops! Forgot about those. Admittedly the more IP addresses there are, the more suspicious I get. Especially when one or more of them is "unknown" or "127.0.0.1"

the session must keep real user info somewhere

I think that was keyplyr's point about "sent to the server". You can only know what they choose to tell you.

phparion

6:38 pm on Oct 21, 2017 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

Can using SSL help me to filter out proxy and get real ip of the visitor?

I can serve him server/javascript call back when proxy visitor comes to my site becaude he is the only one visiting a specific page. I have freedom to execute something when he visits to get his real ip. Or ask him to click another link or redirect him to another page. Will this help at all to unmask.his proxy and get his real ip?

neroux

8:17 pm on Oct 21, 2017 (gmt 0)

As for TLS see above.

lucy24

9:31 pm on Oct 21, 2017 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

I dont want to block him. I want to find his physical location. I want his real ip

Why? Is he doing something so over-the-top malicious that you think you can get him in legitimate trouble with his own ISP or even with the law?

If so, is it really safe to let him continue doing what he's doing?

londrum

9:34 pm on Oct 21, 2017 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

Even if you do manage to find his real IP, can�t he just change it again? My broadband provider seems to give me a different IP every time I turn it on.
You�d be better off trying to prevent whatever malicious thing he�s doing