Since I've been getting a bunch of off-list requests for this I'll just
post it here too:
---
the basic concept of the "web bug" is this, (i did not coin the name web
bug, i saw the name in some recent stupid zdnet story, but the technique is
as old as HTML) if you put an <img src=""> anywhere in an html page or html
email, that user's browser is going to make a request for whatever is in
the <img src=""> tag. if the src="http://x.x.x.x/something.cfm" you can
write whatever you want in the cfm file to do reverse dns lookup (i
recommend the free cfx_nslookup tag) and log that data. it's the same
technique used for your standard "counter.cgi" which performs text file
process and then spits back an image representing the number of hits. you
can spit back a transparent gif or an ad banner and nobody's the wiser.
unless of course they check your source and it's pointing to
"spyonthatbastard.cfm" etc. that's why when i do this, i use something
that looks like an ad banner service rather than a monitoring
service. make your url innocuous or otherwise unsuspicious.
there's another technique to cloak ip addresses using a straight decimal
representation of the four byte code. i'll post a page for that one later.
here's my simple ad banner web bug that i wrote just for the purpose of
grabbing these guys' ip address. this version returned an neoplanet banner
gif. you'll need cfx_nslookup installed on your machine if you want it to
do the reverse dns lookup. also, you'll want to change the email
notification address to something else.
<cftry>
<cfx_nslookup iphost="#CGI.Remote_Addr#">
<cfcatch>
<cfset nslookuphost="cfx_nslookup not installed">
</cfcatch>
</cftry>
<cfparam name="url.id" default="NO_ID">
<cffile action="APPEND" file="#expandpath('log.txt')#"
output="#CGI.Remote_Addr##chr(9)##nslookuphost##chr(9)##dateformat(now(),"dd/mm/yyyy
")##timeformat(now(),"HH:mm:ss")##chr(9)##url.id##chr(9)##cgi.http_referer#"
addnewline="Yes">
<cfmail to="[EMAIL PROTECTED]" from="[EMAIL PROTECTED]" subject="the ad banner
speaks...">
#CGI.remote_addr##chr(9)##nslookuphost##chr(9)##dateformat(now(),"dd/mm/yyyy
")##timeformat(now(),"HH:mm:ss")##chr(9)##url.id##chr(9)##cgi.http_referer#
</cfmail>
<cfcontent type="image/gif" file="d:\r00t\ad\banners\neoplanet.gif"
deletefile="No">
---
of course, keep in mind that if they don't accept/render HTML email (I
personally disable HTML email by not using MS Outlook) then this won't
work. but most webmail services (in this case the guys used mail.com)
render HTML whether you want them to or not.
oh and as to how i got their email address, they put [EMAIL PROTECTED] on
their hack page.
--Brendan Avery / [EMAIL PROTECTED]
At 04:49 PM 1/11/2001 -0500, you wrote:
> > Um no you can't.
> >
> > The buffer underrun abends the logging process.
>
>Oh sorry. I am not a network administrator, so I was under the impression
>that you could. Well then, where can I get this web bug you talk about and
>what exactly is a buffer underrun in a log (i've only herd of the term when
>burning cds). Is there any way to prevent a buffer underrun?
>
>--=@ greg @=--
>----- Original Message -----
>From: "Brendan Avery" <[EMAIL PROTECTED]>
>To: "CF-Talk" <[EMAIL PROTECTED]>
>Sent: Thursday, January 11, 2001 4:35 PM
>Subject: Re: The +.htr bug strikes again
>
>
> > Um no you can't.
> >
> > The buffer underrun abends the logging process.
> >
> > -b][a-
> >
> > At 04:16 PM 1/11/2001 -0500, you wrote:
> > >You coulda just checked your logs and found their IP address that way
>too.
> > >
> > >--=@ greg @=--
> > >----- Original Message -----
> > >From: "Brendan Avery" <[EMAIL PROTECTED]>
> > >To: "CF-Talk" <[EMAIL PROTECTED]>
> > >Sent: Thursday, January 11, 2001 3:33 PM
> > >Subject: RE: The +.htr bug strikes again
> > >
> > >
> > > > we got hit with an /iisadmpwd/*.htr bug hack a couple of days ago on a
> > > > low-security machine.
> > > >
> > > > "prime suspectz ownz you" hack page.
> > > >
> > > > but i got their ADSL ip number after emailing them with a web bug.
> > > >
> > > > eeediots.
> > > >
> > > > --brendan avery / [EMAIL PROTECTED]
> > > >
> > > > At 03:14 PM 1/11/2001 -0500, you wrote:
> > > > >How does one test to see if the problem has be fixed?
> > > > >
> > > > >Won
> > > > >
> > > > >-----Original Message-----
> > > > >From: Zachary Bedell [mailto:[EMAIL PROTECTED]]
> > > > >Sent: Thursday, December 21, 2000 10:47 PM
> > > > >To: CF-Talk
> > > > >Subject: RE: The +.htr bug strikes again
> > > > >
> > > > >
> > > > > > Someone should probably make an official "checklist"
> > > > > > to run through when you setup a CF server.
> > > > >
> > > > >How about these additions to said checklist:
> > > > >
> > > > >In addition to removing the .htr mapping, also remove the mappings
>for
> > >any
> > > > >other extensions that you won't be using on that server.
> > > > >
> > > > >Like:
> > > > >htw -- unless you're using the WebHits highligher
> > > > >ida, idq, htr, idc -- unless you're using old-style Index Server
>access
> > > > >asp, cer, cdx, asa -- unless you're also hosting ASP apps on that
>server
> > > > >shtm, shtml, stm -- unless you're using Server Side Include files
> > > > >printer -- WTF is this and why did IIS install it for Win2k?
> > > > >
> > > > >You could probably also yank the dbm extension unless you have REALLY
>old
> > >CF
> > > > >code lying around.
> > > > >
> > > > >Basically your goal is to DISABLE any functionality of your server
>that
> > > > >you're not currently using. The less junk you have running on the
> > >server,
> > > > >the less chance someone will find a bug in part of the server you
>didn't
> > > > >even know was there.
> > > > >
> > > > >Granted, there's a fine and arcane art to disabling just the right
>things
> > > > >without breaking any part of your server. You'd be best to play on a
> > > > >production server that you can afford to trash & reinstall a few
>times if
> > > > >need be. Certainly, though, deleting extensions for file types not
>used
> > >in
> > > > >your sites (or your customer's sites for webhosts) is completely safe
>and
> > >a
> > > > >good idea in general.
> > > > >
> > > > >Best regards,
> > > > >Zac Bedell
> > > > >
> > > >
> > >
> >
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
