A Little Bit of Everything

I want to finish this chapter with an example that combines redirection, cookies, PHP scripting, and some intuition on my part regarding their URLs.

The original email contained the link http://ylnif.raoy.com/r/vron/owepre.cfm. At face value, the .cfm suffix suggests that this is a Cold Fusion script, but this was clearly another example of replica watch spam, and I already knew they weren’t using anything that fancy. In addition, the term vron had appeared several times before in the URLs. Clicking on the link took me to the primary web site as expected.

Working on the hunch that the owepre.cfm filename was irrelevant, I tried the shortened URL http://ylnif.raoy.com/r/vron/ and that worked just as well. That implied that some script, or Apache directive, on the http://raoy.com server was stripping down the URL before redirection. After a little more experimentation, I realized that vron was the name of an affiliate of the replica watch site, and the process of redirection also created a cookie containing that name on the system of the person visiting the site.

This set of headers shows how the whole process worked. In order to test out my hypothesis, I replaced vron with the name foobar and even simplified the hostname of the intermediary server. The URL I passed to wget was http://raoy.com/r/foobar.

 Connecting to raoy.com[222.223.134.66]:80... connected. [...] 1 HTTP/1.1 302 Found 2 Date: Wed, 12 Jan 2005 20:04:02 GMT 3 Server: Apache/1.3.33 (Unix) PHP/4.3.9 ...

Get Internet Forensics now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.