A Little Bit of Everything
I want to finish this chapter with an example that combines redirection, cookies, PHP scripting, and some intuition on my part regarding their URLs.
The original email contained the link http://ylnif.raoy.com/r/vron/owepre.cfm. At face value,
the .cfm suffix suggests that this
is a Cold Fusion script, but this was clearly another example of replica
watch spam, and I already knew they werenât using anything that fancy.
In addition, the term vron
had
appeared several times before in the URLs. Clicking on the link took me
to the primary web site as expected.
Working on the hunch that the owepre.cfm filename was irrelevant, I tried
the shortened URL http://ylnif.raoy.com/r/vron/
and that worked just as well. That implied that some script, or Apache
directive, on the http://raoy.com server was
stripping down the URL before redirection. After a little more
experimentation, I realized that vron
was the name of an affiliate of the replica watch site, and the process
of redirection also created a cookie containing that name on the system
of the person visiting the site.
This set of headers shows how the whole process worked. In order
to test out my hypothesis, I replaced vron
with the name foobar
and even simplified the hostname of the
intermediary server. The URL I passed to wget
was http://raoy.com/r/foobar.
Connecting to raoy.com[222.223.134.66]:80... connected. [...] 1 HTTP/1.1 302 Found 2 Date: Wed, 12 Jan 2005 20:04:02 GMT 3 Server: Apache/1.3.33 (Unix) PHP/4.3.9 ...
Get Internet Forensics now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.