Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Some perl scripts to help track stolen computers UNIX
As an owner of two iBooks and a Mac mini, it has struck me that these are all likely targets for a thief. A while ago I recalled this story about how someone used Timbuktu Pro to recover a stolen iMac. I then realised that because we use Apple's Remote Desktop software at work, then all I need is the current IP address of a computer to be able to observe/control it.

So I wrote a perl script to lookup my computer's IP address and email it to me at regular intervals. I then had the idea to make the script determine the location of the computer based on the IP address. This is not always an exact science, but it can often pinpoint the town where the computer is. Recently I also realised that I could use the UNIX screencapture command to also email myself a screen capture (to potentially see what any thief is viewing/typing). This might be of more use to those who don't own Remote Desktop. Finally, my latest source of inspiration occurred after buying an iSight camera for my Mac mini. I discovered the great (and free) isightcapture utility, which now allows me to email pictures taken by the iSight camera.

So I now have my computers send me regular emails throughout the day which get automatically filtered by a rule in my Mail application. Because each of these three different functions (IP address, screen capture, and isight capture) require different tweaks to the system, I wrote three different perl scripts so people can pick and choose what functionality they want. These three scripts can be downloaded as a tarball, or downloaded separately from my blog, which has full and detailed instructions on how to install each script (some require some tweaks to the system).

The main limitations of these scripts are that a) the stolen computers need to be online long enough for the scripts to run, and b) the thief doesn't just wipe your hard drive. I try to counter the second option by not using a password on the screensaver, and setting the computers to automatically log into a somewhat-restricted guest account following any reboot. Hopefully this would encourage someone to use the computer just long enough for you to get some helpful information emailed to you.

[robg adds: I haven't tested these scripts.]
    •    
  • Currently 3.25 / 5
  You rated: 5 / 5 (8 votes cast)
 
[29,681 views]  

Some perl scripts to help track stolen computers | 32 comments | Create New Account
Click here to return to the 'Some perl scripts to help track stolen computers' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Some perl scripts to help track stolen computers
Authored by: pub3abn on Aug 28, '06 08:09:39AM
It might also be worth mentioning that using the Apple Firmware Password Protection can add a small degree of protection by preventing an average clueless thief from circumventing the usual boot procedure.

You can read more about that here: http://docs.info.apple.com/article.html?artnum=106482

For those intimidated by custom scripts, there are alternatives that provides SOME of the same functionality: MacPhoneHome, LapCop, etc.

And O'Reilly recently posted two very general articles about safely traveling with your Mac laptop:

http://www.macdevcenter.com/pub/a/mac/2004/08/31/traveller.html

http://www.macdevcenter.com/pub/a/mac/2004/09/03/traveller.html

[ Reply to This | # ]
Some perl scripts to help track stolen computers
Authored by: pub3abn on Aug 28, '06 08:12:09AM

Correction: The O'Reilly articles are not "recent" ... but still potentially useful.



[ Reply to This | # ]
Some perl scripts to help track stolen computers
Authored by: Grant Symon on Aug 28, '06 08:55:58AM

I don't understand how this will work with ARD.

You must have port forwarding at the remote end (chez le thief) in order to observe control the Mac. UDP and TCP ports 3128 and 5900 need to be forwarded to the LAN IP address of the stolen machine, either from his router/modem or via a wireless network, whichever is controlling the internet connection and dhcp or manually assigned addresses.

However, having the IP address emailed via a script would mean that you could 'ping' or 'trace' the account with the Network Utility and get all the necessary info about their ISP and presumably from there the ISP could tell you the actual account/street address that the connection is being made from. I'm not sure how this would work if they're using a dial up POTS connection though. :/

If this can be done without port forwarding, using ARD, then I'd love to know.

Grant Symon



[ Reply to This | # ]
Some perl scripts to help track stolen computers
Authored by: kbradnam on Aug 28, '06 09:17:33AM

Hi Grant,

The scanner section of Remote Desktop allows you to add computers based on their IP address. This of course assumes that the computer is running the Apple Remote Desktop client (enabled from the Sharing panel of System Preferences) and that you know the correct username and password of that computer (as would be the case if it was your computer that was stolen).

After enabling the Remote Desktop client, the bottom of the System Preference window actually says "Others can manage your computer using the address 123.456.789.123".

I have not had to enable any additional port forwarding to get this working and I have tested this with my iBook. As long as I have an IP address and my user account is still on the machine, then I can observe/control the computer using Remote Desktop.

Regards,

Keith



[ Reply to This | # ]
Some perl scripts to help track stolen computers
Authored by: rhowell on Aug 28, '06 09:55:20AM

I think Grant is suggesting that the IP address of the stolen laptop will usually be something like

10.0.0.1

which is typical of computers behind a router. The router's IP address (assigned to it by the ISP) may be something meaningful like

168.154.34.138

If the associated ports for this IP address are forwarded to 10.0.0.1, then ARD will most likely work.



[ Reply to This | # ]
Some perl scripts to help track stolen computers
Authored by: kbradnam on Aug 28, '06 10:04:22AM

Ah I see. In my case I share my home internet connection (which has a fixed IP address) over an Airport wireless network. When my iBook is sitting at home, the script reports the fixed IP address. In other circumstances (depending on the actual network setup), the get_IP.pl script might not be so helpful and you might have to rely on the get_desktop.pl or get_isight.pl scripts giving you useful information instead.

Regards,

Keith



[ Reply to This | # ]
Some perl scripts to help track stolen computers
Authored by: Grant Symon on Aug 28, '06 02:00:15PM

Keith,

it's funny that you find it easy to connect behind your firewall/router setup, but if you go to the Apple Discussions for ARD, you'll find that most people have a pretty hard time getting ARD to work via the internet. Ports 3282 and 5900 must be open and forwarding in both directions (and both ends) for it to work. If the connection is a cable connection, then it's less of a problem, since it's direct, but for DSL, this is a must on the router.

I have found running 10.4.7, that I have also had to ADD a user configuration to the Sharing Firewall prefs, because just checking ARD in the Services pane, doesn't let ARD through ... even although this is its *sole purpose*. :)

OTOH, Timbuktu can connect via the net more easily.

All that said ... something else occurs to me that may actually be more effective.

All the new Macs (apart from the Mac Pro) have an isight camera built-in. Couldn't a script be written to take a shot and email after a short delay ... if for example ... a second script was not run? IOW, you open your MacBook from sleep and systematically click a script in the dock, which sets a flag. If that flag is not set, then 10 seconds later the iSight camera takes a snapshot ... or several at intervals and as soon as there is an active internet connection it sends them via email or posts them to a server ... whatever.

That combined with the grabbed IP address of the router should be enough to catch and convict most thiefs.

Grant



[ Reply to This | # ]
Some perl scripts to help track stolen computers
Authored by: ctierney on Aug 28, '06 10:01:19AM

(I love that TB2 article.) Assuming must poeple have web access, another stategy might be to restrict your network operations to port 80, by using curl to access a page on a website that you control. Even if it doesn't exist, you'll generate 404 log entries containing the remote ip address of the stolen laptop. You could also pass additional info to your logs by appending it to the query string. The technique could even be extended to give yourself a back door to the remote laptop. The file that you access might contain scripts to run if the file is successfully downloaded.

Poor man's RDC all via port 80. :)

--
Cole



[ Reply to This | # ]
Getting through a firewall
Authored by: sr105 on Aug 31, '06 07:43:31AM

If you have access to another unix/OS X based machine on the net, you could setup an account there whereby your laptop would login there and create ssh tunnels for ARD. Then, it wouldn't matter if the laptop was behind a firewall. It might be rather slow depending on the network speeds of all three locations. One plus, is that your unix machine is the only IP you need to know to use ARD no matter where the laptop is located.

As for knowing the IP, just hit whatismyip.com or something similar from the laptop. You could even create a little C,python,perl app on the same unix machine that simply reports the laptops real IP when a connection is incoming and does nothing else.

I've used VNC this way. Well, without the automatic server login, though, but that can be done.



[ Reply to This | # ]
Some perl scripts to help track stolen computers
Authored by: nostriluu on Aug 28, '06 09:11:32AM

As someone who had their last notebook stolen :(, this is a great idea. I think it just needs one change to make it perfect - have it send a captured picture after the computer is "opened," right after the network comes online. The scenario would be as follows; the thief opens the macbook, the network comes online, a picture is taken and immediately transmitted. I think many thieves are unsophisticated and would fall for this. This would obviate intermittant pictures, which would be wasteful of resouces, and would also incidentially create a fun gallery of user pics. :) Can you easily mod your script to do this?

One other improvement would be better network identification, because many networks use NAT you would be better off sending a traceroute, but you wouldn't want delays to prevent the picture from going out immediately since once they see the camera light go on you may only have seconds before the computer is closed up again.



[ Reply to This | # ]
Some perl scripts to help track stolen computers
Authored by: kbradnam on Aug 28, '06 09:27:02AM

I guess it depends if the stolen computer is powered down or just sleeping (notebook lid closed). It's probably easier to set up a script that only runs each time the system is powered on (though you might want to add a delay to give time for a machine to find/join a network).

I'm not sure how to trigger something when waking from sleep (though in the case of notebooks this will possibly be the more likely scenario following any theft). Presumably there are some UNIX processes that occur during the wake up process and maybe you could piggy back the security scripts to fire at the same time.

If anyone has any better information on doing this then I will gladly include that in my scripts.

Regards,

Keith



[ Reply to This | # ]
Some perl scripts to help track stolen computers
Authored by: SOX on Aug 28, '06 10:01:16AM

Cron has an onwake mode. So it launches any scrip set to launch onwake.




[ Reply to This | # ]
Some perl scripts to help track stolen computers
Authored by: nostriluu on Aug 30, '06 09:28:48AM
I couldn't find anything about an on wake mode in crontab (5). Just an 'on system startup' tag.

This looks like the ticket: http://www.radiotope.com/writing/?p=71 (random article on interacting with configd events).

I can't work on this right now but perhaps someone who is almost there can finish this up so it sends an isight pic / network coordinates on startup via a script.




[ Reply to This | # ]
Some perl scripts to help track stolen computers
Authored by: nostriluu on Aug 28, '06 11:13:20AM

I think making the event when the network comes up with be good enough, and more reliable than a delay after startup, aside from occasional networking flapping issues. On Debian this was pretty easy to work with, but I'm not in Kansas anymore. I hope you can work something up.



[ Reply to This | # ]
Some perl scripts to help track stolen computers
Authored by: Krazy on Aug 28, '06 04:42:55PM
&tkbradnam said:

I'm not sure how to trigger something when waking from sleep ...  If anyone has any better information on doing this then I will gladly include that in my scripts.

Check out SleepWatcher, as mentioned here: Switch to login window upon sleep

[ Reply to This | # ]
Some perl scripts to help track stolen computers
Authored by: scolson on Aug 28, '06 07:41:35PM
This is good for the people who want a project, but what about using an already tried and tested product? It seems like Undercover does everything you want it to do and much more. Cheap to buy with a slight discount for students or a good house license for those with more than one mac.

[ Reply to This | # ]
Some perl scripts to help track stolen computers
Authored by: kbradnam on Aug 28, '06 10:32:20PM

I agree that Undercover looks very nice, but this is a free solution rather than $30. It might also (hopefully) inspire someone else to elaborate on it and make it an even more complete solution. Besides, it was fun for me to do! :-)
Keith



[ Reply to This | # ]
Some perl scripts to help track stolen computers
Authored by: bankshot on Aug 28, '06 08:18:59PM

Oh, man. I just recently wrote a script for my Macbook to do similar things to what Undercover does if it's ever stolen. I'd been meaning to clean it up a bit so that I could release it to the public and maybe submit a hint here.

My script seems similar to what's posted here (I haven't looked at these yet) in that it uses screencapture and isightcapture to send pictures. Where it differs is that it works in conjunction with some web hosting space I have. To avoid sending myself constant pictures of the desktop and my ugly mug, I have it first check a file on my own webspace. If that file contains the text "1" that means the laptop is stolen. The script then takes pictures and sends them (in my case it uploads them to my web space via a CGI script running on the web server; it could also very easily just email them). If the file on the web server contains anything but a "1", the laptop is not considered stolen so it does nothing.

Like I said, I haven't cleaned this up to generalize it and make it nice and easy to install, and it also requires that you have your own CGI-enabled webspace (though you could easily change it to skip that and use email instead). If anyone's interested, I suppose I could just post a link to what I have so far.



[ Reply to This | # ]
Some perl scripts to help track stolen computers
Authored by: dille on Aug 29, '06 04:38:35AM

While I understand the thought behind the "check for 1-ness at my webspace", it also means that if your machine is stolen, you need immediate access to the net.
What if it's stolen at night, while you're sleeping? You won't update your site, so your laptop won't report anything, possibly (probably?) missing that oh-so precious first camshot =]



[ Reply to This | # ]
Some perl scripts to help track stolen computers
Authored by: joh on Aug 29, '06 06:36:44AM

I have thought about this, too. The most simple and flexible way would be to add some simple script that runs on boot (and/or on wake and then regularly) and tries to download and execute another script from your webserver. As long as the notebook isn't stolen, the file isn't there. If it gets stolen, you upload the file (which may contain commands to gather information, take a screenshot and send it somewhere) and you have an actual way to do whatever you want with the machine.

The nice thing is that this way you can add things to your script even *after* the notebook has been stolen, since the stolen Mac will download it. In the worst case (you notice too late that the machine has been stolen and don't upload a file soon enough before the thief reinstalls the machine) you'll still have an IP-address logged if the thief is dumb enough to go online with it at least once.



[ Reply to This | # ]
Some perl scripts to help track stolen computers
Authored by: moxieboy on Aug 29, '06 07:34:05AM

This could open the door to someone running malicious code. I'd be very cautious about running code from the web, no-questions-asked, even if you do control the webspace.



[ Reply to This | # ]
Some perl scripts to help track stolen computers
Authored by: rubeon on Aug 29, '06 07:12:04AM

It would be awesome if it could also periodically take a picture through the built-in iSight camera. A pre-packaged mugshot for a foul thief!



[ Reply to This | # ]
Some perl scripts to help track stolen computers
Authored by: kbradnam on Aug 29, '06 08:27:10AM

This is exactly what the third script (get_isight.pl) does.

Keith



[ Reply to This | # ]
Some perl scripts to help track stolen computers
Authored by: miedreich on Aug 29, '06 12:21:50PM

To avoid sending and filtering the mail sent via your scripts, you might also register the machine with dyndns or a similar service. This would also possibly be less conspicuous.

The modules themselves are a good tip though and useful independent on purpose.

greets, frank



[ Reply to This | # ]
Some perl scripts to help track stolen computers
Authored by: wsdr on Aug 29, '06 05:11:04PM
A laundry list of ideas for those who tinker in this kind of stuff:

A simple mod to something like this to keep it from needlessly emailing all the time, assuming you have your own website or server, is to have the unit check-in to a particular page on a regular interval, where the page is normally empty. The script would check for the presence of a keyword, or 1 or True (whatever), like so:

#!/bin/sh
if( curl http://mysite.com/mypage.html|grep 'True' )
then
... run my scripts...
fi


I set this up to run as a cron job as root so that it runs regardless of the state of the system (short of erasure).

That way, if your unit is stolen (assuming you have access to another), you change the page to have your keyword (in this case True), and your script executes. You also get the benefit of your webserver logging the IP address.


Also, to get around the whole firewall/dialup issue, because I have ssh access to my server, I take this one step further, and add to my script a reverse tunnel setup, like so:

ssh -C -f -N -R 45322:127.0.0.1:22 root@myserver.com &

It's clunky, but it works. The -R 45322:127.0.0.1:22 tells the computer to create a tunnel at the remote server on port 45322 back to itself to port 22 (the ssh port) -- this MUST be run as root, or you can't attach to port 22. This also assumes you have set up passwordless logins to the remote server using a hint like this Remote connections without passwords .

Then, once you activate your script, you monitor the logins on your web site logs (or perhaps have your webpage trigger an email to your phone or pager), and you can log in to your remote computer via the tunnel. To do so, you first log in to your server, then from your server you use the following (assuming you used the same ports as above):

ssh -p 45322 your_user@127.0.0.1

Lastly, I use mostly PHP scripts triggered by the cron job shell script. PHP has great mail support, and with the right mods and setup for postfix (ie: setting it up to relay to your mail server over a high numbered, unprotected port), you can be almost certain that if your stolen unit connects to the internet, your message will get through.

[ Reply to This | # ]
Some perl scripts to help track stolen computers
Authored by: ctierney on Aug 30, '06 07:23:05AM

An alternative to checking a website for file (that may not be there in time) is to check the MAC address of the current LAN's gateway.

arp `netstat -nr | awk '/^default/ {print $2}'`

Check this against a list of known gateways (work, home, your favorite cafe, etc.). If the gateway's MAC address is unknown, then assume it's stolen. A script like this could also be adapted to do certain things based on your current location.



[ Reply to This | # ]
Some perl scripts to help track stolen computers
Authored by: baummer on Aug 30, '06 09:38:25AM

So...how does one use the screencapture command to email it to themselves?



[ Reply to This | # ]
Some perl scripts to help track stolen computers
Authored by: ctierney on Aug 30, '06 12:55:55PM

You need to base64 encode the picture and feed it to sendmail wrapped with the appropriate Content-blah blah headers.



[ Reply to This | # ]
Some perl scripts to help track stolen computers
Authored by: Jason Belec on Nov 15, '06 09:05:44AM

For those pesky firewall issues, set up Hamachi. Get all your systems to be part of your private secure network and you can do a lot.

However this thread and the one that lead to it are wonderful ideas.



[ Reply to This | # ]
Some perl scripts to help track stolen computers
Authored by: yosithezet on Feb 03, '07 10:47:07PM

I'd love to see a simple way that this could check to see who is logged in and whether the screensaver is active. If the screensaver is active then I'd rather not send the picture.



[ Reply to This | # ]
problem and comment with Perl scripts
Authored by: edrush on Mar 20, '07 04:42:07PM
A problem and a comment: First, it seems to me that it would be useless to use one's main email account, because the thief would see it on the stolen computer, while the only way you would then see it is to check your ISP's Web-based mail site. Better, perhaps, is to set up a Yahoo (or other) account that does not automatically show up in your mail app.

Now the problem: When I tried to run ./get_IP.pl, I got this error:

Possible unintended interpolation of @mymail in string at ./get_IP.pl line 36.
Possible unintended interpolation of @mymail in string at ./get_IP.pl line 37.
Global symbol "@mymail" requires explicit package name at ./get_IP.pl line 36.
Global symbol "@mymail" requires explicit package name at ./get_IP.pl line 37.
Execution of ./get_IP.pl aborted due to compilation errors.

where my email addy is "ed@mymail.us." My script's punctuation is exactly as in the sample script.

[ Reply to This | # ]
a helper script to use with this
Authored by: delight1 on Jun 25, '07 08:31:29AM
because of my often bad connection, and a lack of getting perl to work, i wrote a unix script to only run these perl script if there is internet.

this keeps the mail queue clean, stops "blank" mail (no internet, no ip to send), and can cut down crontab entries.

#!/bin/bash

#there are TWO spaces (" "), after EACH escape slash "\"
EN0=`ifconfig en0 | grep inet\ | cut -d\ -f 2`
EN1=`ifconfig en1 | grep inet\ | cut -d\ -f 2`

#checks if connected to router
if [ $EN0 $EN1 ]; then
ping -c 1 www.google.com &> /dev/null
Exit_Status=`echo "$?"`
#checks if connected to interwebz
if [ $Exit_Status == 0 ]; then
/usr/local/sbin/get_ip
fi
fi
#end of srcipt

to use this you would, of course, edit it to include the right scripts, and add it to the crontab ^_^

[ Reply to This | # ]