Results tagged “spam” from Just Another Hacker

Captcha reload and other attacks

|
This post has been sitting in draft state for almost two years now so I figured I'd publish it. The captcha reload attack in particular attack targets captchas that support some form of user supplied input and change the captcha value in session upon image creation. In it's simplest form the attack works like this;
  1. Attacker visits page with captcha (session has captcha value y)
  2. Attacker loads a targeted captcha url which changes the value of the session (session has captcha value z)
  3. Attacker submits form from step1 with a certainty or increased likelyhood of having the correct captcha due to step2.
Better yet, lets discuss some real examples I have discovered during penetration tests.

User suppplied text in captcha url
(http://domain.com/captcha/image.php?w=aZcG5x)
Captcha value = query string. I'm not going to dicuss this one.

User suppplied seed in captcha url (http://domain.com/captcha/image.php?r=13323)
A known seed is as good as providing the captcha string in url. Once a human decodes the captcha message it will never change.

User suppplied text in domain state in captcha url (http://domain.com/captcha/image.php?t=HFG_UJHNB_jBHHJGSDJSMSAKDJGSJetcetc)
As above if the session is updated. In the penetration test where I found this the session was not updated, however the text can be used to identify known captcha text if a human decodes a few hundred captchas (they were only using 4 letters). In this case the attacker would reload the step1 url until a known domainstate string  appears and submit the form with certainty of the captcha value.

User suppplied complexity in captcha url (http://domain.com/captcha/image.php?characters=3)
This one comes from an old copy of this script: http://www.white-hat-web-design.co.uk/blog/php-captcha-security-images/. By reloading the captcha the captcha complexity would be reduced to 3 characthers This script also allowed you to increase the image size which caused the letters to appear with far less obfuscation. Older versions of the script allowed you to lowver the character count to 1 and allowed image sizes so large that you could remove the text obfuscation completely or cause a denial of service attack by generating very large images.

Since the white hat web guys are kind enough to host a demo I decided to make a video showing how the attack works:

More CPALead facebook abuse

|
It's not really surprising that these guys are still at it, I wacpalead-like-spam-norsk.PNGs howerver a little surprised to see that they have branched out into region specific apps and pages. Perhaps it helps avoid detection? The text in the image is norwegian and translates to "Teenage mum arrested after having uploaded a digusting video of her child" and "see the video".

Looks like fun, so we look behind the curtain.
linux:~$ GET http://tinlike.info/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US" xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<title>Tenåringsmamma fengslet etter å ha lastet opp motbydelig video av barnet sitt</title>
<meta name="description" content="Tenåringsmamma ble arrestert og satt i fengsel etter å ha lastet opp motbydelig video av sin to år gamle datter!"><meta property="og:site_name" content="Se videoen!"/>
<meta property="og:title" content="Tenåringsmamma fengslet etter å ha lastet opp motbydelig video av barnet sitt"/>
<meta property="og:url" content="http://tinlike.info/"/>
<meta property="og:image" content="http://i51.tinypic.com/716ako.jpg"/>
<meta property="og:description" content="Tenåringsmamma ble arrestert og satt i fengsel etter å ha lastet opp motbydelig video av sin to år gamle datter!"/>
<meta property="og:type" content="website" />
<meta property="fb:app_id" content="149463805092381"/>
<meta http-equiv="content-type" content="text/html; charset=UTF-8" />
<link href="/css/style.css" rel="stylesheet" type="text/css" />

</head>
<body>
<div id="fb-root"></div>
<script src="http://connect.facebook.net/en_US/all.js"></script>
<script type="text/javascript" src="jquery.js"></script>

    <div id="header2">
            <h1 class="h1pages" align="center">Tenåringsmamma fengslet etter å ha lastet opp motbydelig video av barnet sitt!</h1>
</div>
<div class="capwrap">
    <div class="grid2col">
        <div>
            <div style="width:920px"><div class="right" style="width:800px;margin-right:50px;">
            <center <img src="http://tinlike.info/images/2q1rwjk.jpg"> </center>
              </div>


              </div>
            <div class="left">
                          <div align="center">
                            <h1 style="color:#FF0000;">Tenåringsmamma ble arrestert og satt i fengsel etter å ha lastet opp motbydelig video av sin to år gamle datter!</h1>
                            <p><br>
                            Følg de <strong>enkle stegene</strong> nedenfor for å se videoen (det tar bare 10 sekunder!) </p>
                            <img src="http://i33.tinypic.com/2emfn0p.png">
<noscript>Please enable JavaScript in your browser to continue.</noscript>
                          </div>
                          <div id="step1" align="center"><div class="step">
                            <h2 class="h2page"s>Steg 1 - Klikk "Like"</h2>
                            <br>

        <div id="like">
                <fb:like font="lucida grande" width="350" show_faces="true" action="like"></fb:like>
        </div>

</div></div>
<div align="center"><div id="step2"><div class="step">
  <h2 class="h2page">Steg 2 - Klikk "Share"</h2>
<br>

        <div id="share">
                <input id="share-button" class="button" type="submit" style="width:100px" value="Share" onclick="share()" />
        </div>
        </div>

                <div id="step3">
                        <form id='fm-content' method="get" action='readko.php'>
                                <input name="hidden" type="hidden" value="hidden" />

                        </form>



</div></div></div>

                        </div></div>

<div class="clear"></div>
</div>
</div>
<div class="maincap bottom"></div>
</div>
<div id="footer-wrap">
           <div id="footer">
                   <p class="left"><script type="text/javascript" src="http://widgets.amung.us/small.js"></script><script type="text/javascript">WAU_small('bx2nllsfxm0a')</script></p><p style="float:right"></p>
         </div></div>

</body>
</html>

Yepp, it's your typical to see the video you must like and share this link rubbish. Lets see what's behind door number two:
linux:~$ GET http://tinlike.info/readko.php
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<script type="text/javascript">var isloaded = false;</script><script type="text/javascript" src="http://www.cpalead.com/mygateway.php?pub=41457&gateid=MTM3MzQ4"></script><script type="text/javascript">if (!isloaded) { window.location = 'http://cpalead.com/adblock.php?pub=41457'; }</script><noscript><meta http-equiv="refresh" content="0;url=http://cpalead.com/nojava.php?pub=41457" /></noscript>
<title>Tenåringsmamma fengslet etter å ha lastet opp motbydelig video av barnet sitt!</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link href="/css/style.css" rel="stylesheet" type="text/css" />
</head>
<body>
    <div id="header2">
            <h1 class="h1pages" align="center">Tenåringsmamma fengslet etter å ha lastet opp motbydelig video av barnet sitt!</h1>
    </div>
<div class="capwrap">
    <div class="grid2col">
        <div>
<h1 style="color:#FF0000;">Er du nå klar til å se videoen?</h2>
                                        <h1>Etter at du har fullført vår spam/bot kontroll, klikk på knappen nedenfor for å se videoen.</h1>

                                </div>

                                <div id="step1">

                                <br><br><br><br><br><br>
                                <center><SCRIPT LANGUAGE="JavaScript">

var OpenWindow;
var windowprops = "toolbar=0,location=0,directories=0,status=0, " + "menubar=0,scrollbars=1,resizable=0,width=800,height=600";

function performProcess() {
OpenWindow = window.open("http://tinlike.info/videoo.html", "Videon!", windowprops);
document.yourFormName.submit();
}

</SCRIPT>


<button onClick="performProcess();" type="button"><font size="4">Se videoen!</font></button>

                </div></center>

                        </div>
<div class="clear"></div>
</div>
</div>
<div class="maincap bottom"></div>
</div>
<div id="footer-wrap">
           <div id="footer">
                   <p class="left"><script type="text/javascript" src="http://widgets.amung.us/tab.js"></script><script type="text/javascript">WAU_tab('bx2nllsfxm0a', 'left-middle')</script></p><p style="float:right"></p>
         </div></div>

</body>
And sure, enough, cpalead rears it's ugly head again. The interresting bits with this one was the use of the among.us stat counter in the bait page and delivery page. They are now tracking their clickthrough performance. The use of facebook markup to perform the like and share actions without showing up as a facebook app in the news feed is also neat. I hope facebook plugs this loophole, having apps be anonymous when posting to your wall is just bad news.

The moral of the story boys and girls is that if something "demands" that you click like on facebook you should absolutely NOT click, but rather report the app or page.
The reason behind the change is a simple one. They do not (currently) fudge NXDOMAIN records like openDNS do. This has a tendency to break RBL queries, openDNS "solves" this problem by making exceptions for known RBLs. As you can see from this OLD discussion on the openDNS forums this has been their policy for a long time.

The default RBL services used by the movable type spamlookup plugin are bsb.spamlookup.net and sc.surbl.org. I also use additional lookups like stopforumspam, spamhaus and others. As a result I was constantly experiencing false positives for comments and trackbacks. Changing to google solved all these problems. If you are using niche RBLs and openDNS I would recommend that you test these.

[OpenDNS]
$ host nopes.grrrr.bsb.spamlookup.net 208.67.222.222
nopes.grrrr.bsb.spamlookup.net	A	208.69.32.132
 !!! nopes.grrrr.bsb.spamlookup.net A record has zero ttl
$ host nopes.grrrr.bsb.empty.us 208.67.222.222 nopes.grrrr.bsb.empty.us A 208.69.32.132 !!! nopes.grrrr.bsb.empty.us A record has zero ttl
FAIL!

[Google]
$ host nopes.grrrr.bsb.spamlookup.net 8.8.8.8
nopes.grrrr.bsb.spamlookup.net does not exist at google-public-dns-a.google.com, try again
$ host nopes.grrrr.bsb.empty.us 8.8.8.8 nopes.grrrr.bsb.empty.us does not exist at google-public-dns-a.google.com, try again
WINNAR!

I have taken the liberty of reporting these two to openDNS as they are common for MT users, however there are several other RBLs that I use which aren't covered by openDNS. By changing to google public DNS I don't have to put up with false positives. It also saves me the hassle of having to verify and "fix" RBLs every time I make changes.

If you want to make the change you can find the details at: http://code.google.com/speed/public-dns/


I've always had to deal with it, and I don't find MT's spam modules to very helpful in easing the pain of managing trackback spam. So I thought it might just be worth blocking some IPs. I did a little grep and without any further ado I present the numbers taken from 6 months worth of apache logs;

root@localhost# zgrep tb.cgi access.log* | awk '{print $1}' | sort | uniq -c | sort -n -r |head -25
   3390 74.86.238.186
    471 206.51.226.198
    451 208.53.130.221
    435 64.34.172.35
    329 66.96.208.53
    318 67.159.44.159
    299 65.60.37.195
    257 76.73.1.50
    248 208.85.242.212
    188 208.53.137.178
    169 72.167.36.70
    161 208.43.255.125
    148 212.227.114.150
    140 65.18.193.119
    139 74.63.64.94
    138 69.65.58.166
    137 66.197.167.120
    136 208.109.171.65
    129 74.86.60.98
    128 66.45.240.66
    120 64.59.71.191
    113 67.159.44.63
     99 64.202.163.76
     98 85.17.145.7
     93 64.191.50.30


Sometimes I wish I could easily group by CIDR on the CLI

Blocking another spammer

|
Most of the comment spam I receive on this blog was coming from within two IP ranges, both belonging to;
aut-num: AS44557
as-name: DRAGONARA
descr: Dragonara Alliance Ltd
import: from AS13030 action pref=100; accept ANY
export: to AS13030 announce AS44557
admin-c: AGAV2-RIPE
tech-c: AGAV2-RIPE
notify: tech@dragonara.net
mnt-by: DRAGONARA-MNT
mnt-routes: DRAGONARA-MNT
changed: hostmaster@ripe.net 20080205
source: RIPE

I have blocked them in my firewall and would recommend you do the same.
No Clean Feed - Stop Internet Censorship in Australia
Creative Commons License
This weblog is licensed under a Creative Commons License.