Welcome to WebmasterWorld Guest from 54.198.210.67

Forum Moderators: coopster & jatar k

find real ip address of user behind proxy

unmask proxy to find real user ip

     
10:21 am on Oct 20, 2017 (gmt 0)

Senior Member from MZ 

WebmasterWorld Senior Member 10+ Year Member

joined:Nov 9, 2005
posts: 836
votes: 0


hi

a user is doing malicious things on my application. he always comes with "google proxy" pointing to USA location.

I want to find his real ip to check his real location. i have tried working with x-forwarded header etc as following




function getrealip()
{
if (isset($_SERVER)){
if(isset($_SERVER["HTTP_X_FORWARDED_FOR"])){
$ip = $_SERVER["HTTP_X_FORWARDED_FOR"];
if(strpos($ip,",")){
$exp_ip = explode(",",$ip);
$ip = $exp_ip[0];
}
}else if(isset($_SERVER["HTTP_CLIENT_IP"])){
$ip = $_SERVER["HTTP_CLIENT_IP"];
}else{
$ip = $_SERVER["REMOTE_ADDR"];
}
}else{
if(getenv('HTTP_X_FORWARDED_FOR')){
$ip = getenv('HTTP_X_FORWARDED_FOR');
if(strpos($ip,",")){
$exp_ip=explode(",",$ip);
$ip = $exp_ip[0];
}
}else if(getenv('HTTP_CLIENT_IP')){
$ip = getenv('HTTP_CLIENT_IP');
}else {
$ip = getenv('REMOTE_ADDR');
}
}
return $ip;
}


$MyipAddress = getrealip();
echo $MyipAddress;


but it is always showing proxy ip. i tried visitng my own url that spits out visitor ip using different proxy sites, it does not show my real ip. somebody said to use SSL as it can block proxy etc.

I want to know if there is any way to find real ip behind proxy using php or any other technology. i am even ready to pay/buy scripts etc to find it.

thank you
11:26 am on Oct 20, 2017 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:10095
votes: 549


AFAIK you can only retrieve the IP address sent to the server.
11:40 am on Oct 20, 2017 (gmt 0)

Senior Member from MZ 

WebmasterWorld Senior Member 10+ Year Member

joined:Nov 9, 2005
posts: 836
votes: 0


even beyond php scope its not possible? any server side solution or any paid service that can query proxy servers databases?
5:55 pm on Oct 20, 2017 (gmt 0)

New User

joined:Aug 21, 2016
posts:17
votes: 0


The code you posted relies on the proxy passing the client's ip address. Whether that happens is entirely up to the proxy configuration. Also, it can be easily faked - either over a direct connection or even over a proxy, if the latter does not explicitely set or check that header.

Even though far from being reliable, you could try to exploit some WebRTC vulnerability to determine the client's actual IP address - [thehackernews.com ].

Alternatively, as you already mentioned, you could also use one of those IP address database that contain proxy and/or data centre addresses. Some of them are free, others paid and their reliability will also certainly vary.

As far as SSL (or better TLS) is concerned, that is a completely different topic and won't help you in this case.
8:35 pm on Oct 20, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:14251
votes: 551


AFAIK you can only retrieve the IP address sent to the server.
Some law-abiding proxies--if that isn't an oxymoron--include an X-Forwarded-For header. (But what are the commas doing? Or is that a decimal-separator mixup and it was supposed to be . period?)

Some non-law-abiding proxies include an X-Forwarded-For header that contains something other than an IP address. They seem to be especially fond of the single word “unknown”, which strikes me as worse than not sending the header at all.

:: idly wondering what, if anything, “::ffff:206.78.150.abc” is supposed to mean (the “abc” is my obfuscation) ::
8:47 pm on Oct 20, 2017 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:10095
votes: 549


An X-Forwarded-For header *is* "the IP address sent to the server." The request header is sent to the server. That field may contain a different IP address than the requesting IP address, but it is still information sent to the server.
9:13 pm on Oct 20, 2017 (gmt 0)

Senior Member from MZ 

WebmasterWorld Senior Member 10+ Year Member

joined:Nov 9, 2005
posts: 836
votes: 0


Is there any 3rd party service that i can use on-the-fly to tell me real ip of the visitor who visits a page on my site using a proxy?
9:22 pm on Oct 20, 2017 (gmt 0)

Full Member

Top Contributors Of The Month

joined:Apr 11, 2015
posts: 306
votes: 21


include an X-Forwarded-For header. (But what are the commas doing?


The X-Forwarded-For header can contain multiple IP addresses, comma separated, depending on the number of proxy servers the request passes through. Each proxy server "should" add its IP address to the list. The first IP address "should" be the original client's IP address. But even well-intentioned proxy servers can get it wrong and prefix the IP address instead of appending it.

You could examine the entire $_SERVER superglobal in case a non-standard header is set. (But, as mentioned, this is dependent on the proxy "being nice" and forwarding the client's IP address in some way.)

If you want to block this user, it may be sufficient to block based on some other element of this request, or even the proxy as a whole?!
9:28 pm on Oct 20, 2017 (gmt 0)

Senior Member from MZ 

WebmasterWorld Senior Member 10+ Year Member

joined:Nov 9, 2005
posts: 836
votes: 0


I dont want to block him. I want to find his physical location. I want his real ip
9:30 pm on Oct 20, 2017 (gmt 0)

Senior Member from MZ 

WebmasterWorld Senior Member 10+ Year Member

joined:Nov 9, 2005
posts: 836
votes: 0


At this moment the ip i get from him trace back to "google proxy" location US, California
9:42 pm on Oct 20, 2017 (gmt 0)

Full Member

Top Contributors Of The Month

joined:Apr 11, 2015
posts: 306
votes: 21


Is that just from using the function above or have you examined the entire request? The function you posted above makes several assumptions. I would check the entire $_SERVER array for IP addresses and test them all.

But it may not be possible to get the client's IP address from the request that hits your server. If they are using an anonymous proxy, then that's kinda the point.
9:48 pm on Oct 20, 2017 (gmt 0)

Senior Member from MZ 

WebmasterWorld Senior Member 10+ Year Member

joined:Nov 9, 2005
posts: 836
votes: 0


I have studied full request. There must be a way to break into proxy. To do some reverse engineering and breaks the proxy packet. Proxy request must be done on fly and the session must keep real user info somewhere.
1:27 am on Oct 21, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:14251
votes: 551


can contain multiple IP addresses, comma separated
Whoops! Forgot about those. Admittedly the more IP addresses there are, the more suspicious I get. Especially when one or more of them is "unknown" or "127.0.0.1"

the session must keep real user info somewhere
I think that was keyplyr's point about "sent to the server". You can only know what they choose to tell you.
6:38 pm on Oct 21, 2017 (gmt 0)

Senior Member from MZ 

WebmasterWorld Senior Member 10+ Year Member

joined:Nov 9, 2005
posts: 836
votes: 0


Can using SSL help me to filter out proxy and get real ip of the visitor?

I can serve him server/javascript call back when proxy visitor comes to my site becaude he is the only one visiting a specific page. I have freedom to execute something when he visits to get his real ip. Or ask him to click another link or redirect him to another page. Will this help at all to unmask.his proxy and get his real ip?
8:17 pm on Oct 21, 2017 (gmt 0)

New User

joined:Aug 21, 2016
posts:17
votes: 0


As for TLS see above.
9:31 pm on Oct 21, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:14251
votes: 551


I dont want to block him. I want to find his physical location. I want his real ip

Why? Is he doing something so over-the-top malicious that you think you can get him in legitimate trouble with his own ISP or even with the law?

If so, is it really safe to let him continue doing what he's doing?
9:34 pm on Oct 21, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Feb 12, 2006
posts:2648
votes: 94


Even if you do manage to find his real IP, can’t he just change it again? My broadband provider seems to give me a different IP every time I turn it on.
You’d be better off trying to prevent whatever malicious thing he’s doing
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members