[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #20348 [Metrics/Censorship analysis]: Kazakhstan blocking of vanilla Tor and obfs4, 2016-06
#20348: Kazakhstan blocking of vanilla Tor and obfs4, 2016-06
-----------------------------------------+--------------------------
Reporter: dcf | Owner:
Type: project | Status: reopened
Priority: Medium | Milestone:
Component: Metrics/Censorship analysis | Version:
Severity: Normal | Resolution:
Keywords: censorship block kz | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
-----------------------------------------+--------------------------
Comment (by dcf):
Replying to [comment:149 dcf]:
> Replying to [comment:145 dcf]:
> > Blocked sites are redirected to !http://92.63.88.128/?NTDzLZ, which in
turn redirects to a nonexistent !http://90.263.11.193/.
>
> It's a combination of a "meta-refresh" redirect and a JavaScript
redirect.
Using the [[attachment:grepsonar.go|grepsonar]] program, I found exactly
one server in the 20160830-http data set that had the same peculiar
combination of redirects: 178.208.91.128:80.
{{{
HTTP/1.1 200 OK\r\n
Server: nginx\r\n
Date: Tue, 30 Aug 2016 08:27:06 GMT\r\n
Content-Type: text/html; charset=utf-8\r\n
Content-Length: 378\r\n
Connection: close\r\n
Expires: Thu, 21 Jul 1977 07:30:00 GMT\r\n
Last-Modified: Tue, 30 Aug 2016 08:27:06 GMT\r\n
Cache-Control: max-age=0\r\n
Pragma: no-cache\r\n
\r\n
<html>\n
<head>\n
<meta http-equiv=\"REFRESH\" content=\"1;
URL='http://hookup48.com/rjbsbnntp/photo'\">\n
<script type=\"text/javascript\">window.location =
\"http://hookup48.com/rjbsbnntp/photo\";</script>\n
</head>\n
<body>\n
The Document has moved <a
href=\"http://hookup48.com/rjbsbnntp/photo\">here</a>\n
</body>\n
</html>
}}}
I would guess this server is redirecting to some malware or spam. In
common with the response from comment:149, it has `Expires: Thu, 21 Jul
1977 07:30:00 GMT`. (To be fair, there are lots of other servers with that
particular value of the header, that don't have the same peculiar
redirects.)
Today, the server is still serving redirects, but they look different
(note for example the time of `0` rather than `1` in the meta-refresh
redirect and `\r\n` rather than `\n` in the body.
{{{
HTTP/1.1 200 OK\r\n
Server: nginx\r\n
Date: Mon, 19 Dec 2016 05:52:10 GMT\r\n
Content-Type: text/html\r\n
Transfer-Encoding: chunked\r\n
Connection: keep-alive\r\n
\r\n
<html >\r\n
<head>\r\n
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">\r\n
<meta http-equiv="refresh" content="0;URL=http://aroma-
academy.biz/disk/">\r\n
</head> \r\n
<body>\r\n
<script language="javascript"
src="http://aromaacademy.e-autopay.com/hit.js"></script> \r\n
</body>\r\n
</html>\r\n
}}}
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20348#comment:169>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs