Dailydave mailing list archives
Re: ndr.py and sarah palin
From: "Dave Korn" <dave.korn () artimi com>
Date: Wed, 17 Sep 2008 19:30:43 +0100
Dave Aitel wrote on 17 September 2008 18:44:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://wikileaks.org/wiki/Sarah_Palin_Yahoo_inbox_2008
From that page:
"Nb. The 'ctunnel.com' reference in the browser screen shots is to a proxy service used to prevent the activists from being traced." That intrigued me, so I browsed to ctunnel.com. Not being the default-script-running type, I got a blank page, except for the html title "Ctunnel.com will protect your anonymity on the internet, helping you evade url and ip filters!". So I looked at the source, and it's full of stuff like .... <script type='text/javascript'> var myArray=new Array(); myArray[0] = '%0n%0n%0n%0n%0n<Oe><oe>%0n%0n<gnoyr jvqgu=65%25><gq><gnoyr jvqgu=100%25 otpbybe=qqqqqq pryycnqqvat=3><gq>%0n<n uers=%22uggcf://jjj.Pghaary.pbz%22>Ranoyr FFY Rapelcgvba</n><oe>%0n%0n<sbez anzr=%22ybtva%22 npgvba=%22uggc://pghaary.pbz/vaqrk.cuc/1010110N/20099p53o71244739q9oqr36531890 0%22 zrgubq=cbfg>%0n<vachg anzr=%22hfreanzr%22 fvmr=66 inyhr=%22uggc://jjj.LbhGhor.pbz%22><vachg glcr=fhozvg inyhr=%22 Ortva Oebjfvat %22><Oe>%0nVafgnag Zrffratref: <n uers=%22uggc://pghaary.pbz/vaqrk.cuc/1010110N/30509851s71q4n2op08nqq3143444040 717794pop324pr5sn1ns7q684op792410s2618900%22>Zfa</n> <n uers=%22uggc://pghaary.pbz/vaqrk.cuc/1010110N/30509851s71q4n2op08nqq3143444040 717794pop324pr5sn1ns7q6451p492410s2618900%22>NVZ</n> <n uers=%22uggc://pghaary.pbz/vaqrk.cuc/1010110N/30509851s71q4n2op08nqq3143444040 717794pop324pr5sn1ns7q7p59p1q35r4926o39r18900%22>Lnubb</n> <n uers=% Now. I haven't decoded and read this yet, but I recognise that XYYZ:// pattern anywhere. So let me see if I've guessed this right: it's a proxy that rewrites all your URLs in rot-13? And this is supposed to "protect your anonymity"? Those activists are screwed. They better get out of the country PDQ. Pardon me, but I'll be sticking with proper mix chains for now. Oh, and TRWTF? The decoder function is pretty FAIL: function base64(src) { var dst=new String('') ; var len=src.length ; var b ; var t=new String('') ; if(len > 0) { for(var ctr=0; ctr<len ; ctr++) { b=src.charCodeAt(ctr); if( ( (b>64) && (b<78) ) || ( (b>96) && (b<110) ) ) { b=b+13; } else { if( ( (b>77) && (b<91) ) || ( (b>109) && (b<123) ) ) { b=b-13; } } t=String.fromCharCode(b) ; dst=dst.concat(t) ;} } return dst; } cheers, DaveK -- Can't think of a witty .sigline today.... _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- ndr.py and sarah palin Dave Aitel (Sep 17)
- Re: ndr.py and sarah palin Dave Korn (Sep 17)
- Re: ndr.py and sarah palin Dan Moniz (Sep 19)
- Re: ndr.py and sarah palin Dave Korn (Sep 17)