That's been happening for years tho lol. In this case, the botters were trying to use the join pages as a cc checker lol.
On Wed, Apr 13, 2011 at 3:50 PM, Christian Sciberras <[email protected]>wrote: > Is it me or are spammers recruiting more script kiddies as of late? > Not much of a big deal considering their numbers are on the rise...*ahem* > anonymous *ahem*. > > Chris. > > > > > On Wed, Apr 13, 2011 at 4:47 PM, Cal Leeming <[email protected]> wrote: > >> Well, the problem was the person(s) running the bots kept bypassing the >> simple protections such as these. Although it isn't 100% fool proof, it does >> make things *extremely* difficult for the person(s) with the bots, so much >> so, that they usually give up, unless they have specifically targeted you >> for some reason. >> >> So, instead we created hundreds of these little JS chunks, all with >> different lookup tables applied, and cycled them on an hourly basis. It >> meant if they wanted to continuously bot the service, they would have to de >> obfuscate the protection code, or find a mathmatical/bruteforce attack that >> would generate the seedkey for them. It would either involve manual >> intervention or code modification on the bot to make it work.. I'd >> have preferred to have added captcha, but there was a reasonable explanation >> as to why the client didn't want it. >> >> Either way, once we put this in, they gave up pretty quickly lol. >> >> >> On Wed, Apr 13, 2011 at 3:29 PM, Christian Sciberras >> <[email protected]>wrote: >> >>> Cal /Ryan, >>> >>> I'm not sure what you're trying to achieve. >>> If we're talking about absolutely stupid bots, the following easily >>> defeats them: >>> <form> >>> <stuff/> >>> <script type=text/javascript>document.write('<input type="hidden" >>> name="access" value="code"/>');</script> >>> <form> >>> >>> I suppose you could obfuscate it all if you wanted to cater for script >>> kiddies. >>> But considering this is very weak protection (as opposed to proper >>> captcha), I'm not sure if it's even worthwhile. >>> One of the ways I can see this work is against automated, "JS-ignorant", >>> MITM systems. >>> >>> As indeed is true, you should never trust the end user. >>> But in a MITM scenario, the user we're not trusting is the one conducting >>> the attack, not the other. >>> >>> Chris. >>> >>> >>> >>> On Wed, Apr 13, 2011 at 1:07 PM, Cal Leeming <[email protected]>wrote: >>> >>>> Lol, I've just realised something.. I didn't include the seed key >>>> variable itself, so this code would have been pretty much useless on it own >>>> *DOH*. >>>> >>>> So, here's something else a bit tasty.. this is the server side code >>>> used to check and create the seedkey itself (secret lookup table has been >>>> changed obv.). >>>> >>>> This code allows seedkeys to be generated from epoch time. Now, >>>> cryptographically I don't know how "sane" this is, but I'm fairly sure that >>>> if the lookup table contained large integers it would become almost >>>> impossible to do a pattern based brute force. I actually had quite a lot of >>>> fun trying to break my own code. :D >>>> >>>> PS) you have been awarded 1 internets. >>>> >>>> >>>> function get_valid_keys() { >>>> // Create key store >>>> $_s = array(); >>>> >>>> // Create valid key ranges (+900 seconds) >>>> for($x=300;$x>=900;$x+=300): >>>> $_s[] = $this->create_key($offset=$x); >>>> endfor; >>>> >>>> // Create valid key ranges (-900 seconds) >>>> for($x=300;$x>=-900;$x-=300): >>>> $_s[] = $this->create_key($offset=$x); >>>> endfor; >>>> >>>> $_s[] = $this->create_key(); >>>> >>>> return $_s; >>>> } >>>> >>>> function create_packed_key() { >>>> // Create a new valid key >>>> $key = $this->create_key(); >>>> >>>> // Now generate the packed key >>>> $k = array(); >>>> // Now convert it into an array >>>> for($x=0;$x<strlen($key);$x++): >>>> $_v = unpack("H*", $key[$x]); >>>> $k[]='\x'.$_v[1]; >>>> endfor; >>>> >>>> // Okay, here is your brand new shiney key, sir :) >>>> $m = '"'.implode('","', $k).'"'; >>>> $m = strrev($m); >>>> $_m = array(); >>>> for($x=0;$x<strlen($m);$x++): >>>> $_m[]=$m[$x]; >>>> endfor; >>>> return json_encode(implode("ZPAK", $_m)); >>>> } >>>> >>>> function create_key($offset=0) { >>>> // Secret key table, used to mix up the seed >>>> $enc = array( >>>> 0 => "67892", >>>> 1 => "3953", >>>> 2 => "49474", >>>> 3 => "494755", >>>> 4 => "30585", >>>> 5 => "30582", >>>> 6 => "20485", >>>> 7 => "20486", >>>> 8 => "97294", >>>> 9 => "10284" >>>> ); >>>> >>>> // Generate new seed >>>> $time = time(); >>>> if ($offset): >>>> $time=$time+$offset; >>>> endif; >>>> $c=(int)($time/$this->_security_key_refresh); >>>> $_c = "$c"; >>>> >>>> // Extract the last 5 digits of the number >>>> $char1 = substr($_c, strlen($c)-1, 1); >>>> $char2 = substr($_c, strlen($c)-2, 1); >>>> $char3 = substr($_c, strlen($c)-3, 1); >>>> $char4 = substr($_c, strlen($c)-4, 1); >>>> $char5 = substr($_c, strlen($c)-5, 1); >>>> >>>> // Lookup the modifier from the secret key table >>>> $mt1 = $enc[$char1]; >>>> $mt2 = $enc[$char2]; >>>> $mt3 = $enc[$char3]; >>>> $mt4 = $enc[$char4]; >>>> $mt5 = $enc[$char5]; >>>> >>>> // Generate a new key, based on the modifiers >>>> $key = round((($c+$mt1) + ($c+$mt2) + ($c+$mt3) + ($c+$mt4) + >>>> ($c+$mt5))/256); >>>> $key = "$key"; >>>> return $key; >>>> } >>>> >>>> >>>> >>>> >>>> >>>> On Wed, Apr 13, 2011 at 3:56 AM, Ryan Sears <[email protected]> wrote: >>>> >>>>> Me thinks I may have it right (mostly)... >>>>> >>>>> It seems to be some jquery to append a hidden input element to the >>>>> "theform" id (presumably a form on the page ;) ) called "seedkey", and >>>>> has a >>>>> value of whatever t is evaluated to (which I'm still stuck on as I don't >>>>> know jquery much at all, so I can't figure out the s[] array, but I know >>>>> it >>>>> has something to do with the bracket notation...). >>>>> >>>>> ================================================= >>>>> += Orig =+ >>>>> $(function () { >>>>> var _0xafd3 = ["\x74\x20\x3D\x20\x22", "", "\x6A\x6F\x69\x6E", >>>>> "\x72\x65\x76\x65\x72\x73\x65", "\x73\x70\x6C\x69\x74", >>>>> "\x72\x65\x70\x6C\x61\x63\x65", "\x22"]; >>>>> >>>>> eval(_0xafd3[0] + s[_0xafd3[5]](/ZPAK/gi, >>>>> _0xafd3[1])[_0xafd3[5]](/\",\"/gi, _0xafd3[1])[_0xafd3[5]](/\"/gi, >>>>> _0xafd3[1])[_0xafd3[4]](_0xafd3[1])[_0xafd3[3]]()[_0xafd3[2]](_0xafd3[1]) >>>>> + >>>>> _0xafd3[6]); >>>>> var _0x5bfa = ["\x3C\x69\x6E\x70\x75\x74\x20\x2F\x3E", >>>>> "\x74\x79\x70\x65", "\x68\x69\x64\x64\x65\x6E", "\x61\x74\x74\x72", >>>>> "\x6E\x61\x6D\x65", "\x73\x65\x65\x64\x6B\x65\x79", >>>>> "\x76\x61\x6C\x75\x65", >>>>> "\x61\x70\x70\x65\x6E\x64", "\x23\x74\x68\x65\x66\x6F\x72\x6D"]; >>>>> _n = $(_0x5bfa[0]); >>>>> _n[_0x5bfa[3]](_0x5bfa[1], _0x5bfa[2]); >>>>> _n[_0x5bfa[3]](_0x5bfa[4], _0x5bfa[5]); >>>>> _n[_0x5bfa[3]](_0x5bfa[6], t); >>>>> $(_0x5bfa[8])[_0x5bfa[7]](_n); >>>>> }); >>>>> >>>>> += De-obfuscated =+ >>>>> $(function () { >>>>> var _0xafd3 = ['t = "', '', 'join', 'reverse', 'split', >>>>> 'replace', '"']; >>>>> var _0x5bfa = ['<input />', 'type', 'hidden', 'attr', 'name', >>>>> 'seedkey', 'value', 'append', '#theform']; >>>>> >>>>> eval('t = "' + s['replace'](/ZPAK/gi, '')['replace'](/\",\"/gi, >>>>> '')['replace'](/\"/gi, '')['split']('')['reverse']()['join']('') + '"'); >>>>> >>>>> _n = $('<input />'); >>>>> _n['attr']('type', 'hidden'); >>>>> _n['attr']('name', 'seedkey'); >>>>> _n['attr']('value', t); >>>>> $('#theform')['append'](_n); >>>>> }); >>>>> >>>>> ================================================= >>>>> >>>>> Fun stuffs. I can haz a internetz? :-P >>>>> >>>>> Ryan >>>>> >>>>> >>>>> ----- Original Message ----- >>>>> From: "Cal Leeming" <[email protected]> >>>>> To: [email protected] >>>>> Sent: Tuesday, April 12, 2011 5:28:22 PM GMT -05:00 US/Canada Eastern >>>>> Subject: [Full-disclosure] guess what this does.. >>>>> >>>>> $(function() { >>>>> var >>>>> >>>>> _0xafd3=["\x74\x20\x3D\x20\x22","","\x6A\x6F\x69\x6E","\x72\x65\x76\x65\x72\x73\x65","\x73\x70\x6C\x69\x74","\x72\x65\x70\x6C\x61\x63\x65","\x22"];eval(_0xafd3[0]+s[_0xafd3[5]](/ZPAK/gi,_0xafd3[1])[_0xafd3[5]](/\",\"/gi,_0xafd3[1])[_0xafd3[5]](/\"/gi,_0xafd3[1])[_0xafd3[4]](_0xafd3[1])[_0xafd3[3]]()[_0xafd3[2]](_0xafd3[1])+_0xafd3[6]); >>>>> var >>>>> >>>>> _0x5bfa=["\x3C\x69\x6E\x70\x75\x74\x20\x2F\x3E","\x74\x79\x70\x65","\x68\x69\x64\x64\x65\x6E","\x61\x74\x74\x72","\x6E\x61\x6D\x65","\x73\x65\x65\x64\x6B\x65\x79","\x76\x61\x6C\x75\x65","\x61\x70\x70\x65\x6E\x64","\x23\x74\x68\x65\x66\x6F\x72\x6D"];_n=$(_0x5bfa[0]);_n[_0x5bfa[3]](_0x5bfa[1],_0x5bfa[2]);_n[_0x5bfa[3]](_0x5bfa[4],_0x5bfa[5]);_n[_0x5bfa[3]](_0x5bfa[6],t);$(_0x5bfa[8])[_0x5bfa[7]](_n); >>>>> }); >>>>> >>>>> enjoy ;p >>>>> >>>>> ps) yes I obfuscated this, and no it doesn't contain any nasties. >>>>> >>>>> _______________________________________________ >>>>> Full-Disclosure - We believe in it. >>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>>> Hosted and sponsored by Secunia - http://secunia.com/ >>>>> >>>> >>>> >>>> _______________________________________________ >>>> Full-Disclosure - We believe in it. >>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>> Hosted and sponsored by Secunia - http://secunia.com/ >>>> >>> >>> >> >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
