fake player||fake mise à jour ...

par **angelique** » 08 sept. 2014 15:57

Ola \o_

Lol impossible de reproduire , ça me l'a fait qu'une seule fois en me rendant sur http://www.20minutes.fr/

Sous Debian avec IceѠeasel + adblock + NoScript ..... chelou même avec ces 2 plugins -_-

par **angelique** » 08 sept. 2014 17:32

trouvé

, mais ça marche que 1 fois , faut changer d'ipette pour que ça refonctionne

httpx://20minuts.fr

en video ça donne ça , marrant > meme NoScript empeche pas la redirection

http://angelik.altervista.org/angelique/angel.ogv

par **Malekal_morte** » 08 sept. 2014 17:54

chef · par **chef** » 08 sept. 2014 17:55

bonsoir,
alors sur windows assez marrant

Sans titre.png

Sans titre1.png

et pareil rien ne bronche :

Sans titre3.png

et pour virustotal tous est normal !!
https://www.virustotal.com/fr/url/90a2d ... 410191568/

par **angelique** » 08 sept. 2014 17:59

je remonte tout ça à une tête voir ....

par **angelique** » 08 sept. 2014 18:34

Code : Tout sélectionner


root@debian:/home/angel# tcpdump -i eth1 -v
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
18:20:35.711053 IP (tos 0x0, ttl 64, id 51889, offset 0, flags [DF], proto UDP (17), length 57)
    debian.local.55921 > resolver2.opendns.com.domain: 31284+ A? 20minuts.fr. (29)
18:20:35.711083 IP (tos 0x0, ttl 64, id 51890, offset 0, flags [DF], proto UDP (17), length 57)
    debian.local.55921 > resolver2.opendns.com.domain: 22640+ AAAA? 20minuts.fr. (29)
18:20:35.711855 IP (tos 0x0, ttl 64, id 51891, offset 0, flags [DF], proto UDP (17), length 73)
    debian.local.35649 > resolver2.opendns.com.domain: 31153+ PTR? 220.220.67.208.in-addr.arpa. (45)
18:20:35.734619 IP (tos 0x0, ttl 54, id 0, offset 0, flags [DF], proto UDP (17), length 73)
    resolver2.opendns.com.domain > debian.local.55921: 31284 1/0/0 20minuts.fr. A 209.15.13.134 (45)
18:20:35.737040 IP (tos 0x0, ttl 54, id 0, offset 0, flags [DF], proto UDP (17), length 108)
    resolver2.opendns.com.domain > debian.local.35649: 31153 1/0/0 220.220.67.208.in-addr.arpa. PTR resolver2.opendns.com. (80)
18:20:35.737318 IP (tos 0x0, ttl 64, id 51892, offset 0, flags [DF], proto UDP (17), length 70)
    debian.local.47461 > resolver2.opendns.com.domain: 25289+ PTR? 3.0.168.192.in-addr.arpa. (42)
18:20:35.760563 IP (tos 0x0, ttl 54, id 0, offset 0, flags [DF], proto UDP (17), length 129)
    resolver2.opendns.com.domain > debian.local.47461: 25289* 0/1/0 (101)
18:20:35.891091 IP (tos 0x0, ttl 54, id 0, offset 0, flags [DF], proto UDP (17), length 125)
    resolver2.opendns.com.domain > debian.local.55921: 22640 0/1/0 (97)
18:20:35.904934 IP (tos 0x0, ttl 64, id 61765, offset 0, flags [DF], proto TCP (6), length 60)
    debian.local.60831 > 209.15.13.134.http: Flags [S], cksum 0x9f6f (incorrect -> 0x0826), seq 1882893642, win 14600, options [mss 1460,sackOK,TS val 1072143 ecr 0,nop,wscale 4], length 0
18:20:35.905205 IP (tos 0x0, ttl 64, id 51893, offset 0, flags [DF], proto UDP (17), length 72)
    debian.local.45562 > resolver2.opendns.com.domain: 16717+ PTR? 134.13.15.209.in-addr.arpa. (44)
18:20:35.930005 IP (tos 0x0, ttl 54, id 0, offset 0, flags [DF], proto UDP (17), length 72)
    resolver2.opendns.com.domain > debian.local.45562: 16717 NXDomain 0/0/0 (44)
18:20:36.030691 IP6 (hlim 255, next-header UDP (17) payload length: 52) fe80::20e:2eff:fecb:a008.mdns > ff02::fb.mdns: [udp sum ok] 0 PTR (QM)? 134.13.15.209.in-addr.arpa. (44)
18:20:36.030770 IP (tos 0x0, ttl 255, id 32203, offset 0, flags [DF], proto UDP (17), length 72)
    debian.local.mdns > 224.0.0.251.mdns: 0 PTR (QM)? 134.13.15.209.in-addr.arpa. (44)
18:20:36.048163 IP (tos 0x0, ttl 111, id 29022, offset 0, flags [DF], proto TCP (6), length 60)
    209.15.13.134.http > debian.local.60831: Flags [S.], cksum 0x2d90 (correct), seq 3956135152, ack 1882893643, win 8192, options [mss 1460,nop,wscale 8,sackOK,TS val 283058667 ecr 1072143], length 0
18:20:36.048225 IP (tos 0x0, ttl 64, id 61766, offset 0, flags [DF], proto TCP (6), length 52)
    debian.local.60831 > 209.15.13.134.http: Flags [.], cksum 0x9f67 (incorrect -> 0x78a8), ack 1, win 913, options [nop,nop,TS val 1072179 ecr 283058667], length 0
18:20:36.048415 IP (tos 0x0, ttl 64, id 61767, offset 0, flags [DF], proto TCP (6), length 356)
    debian.local.60831 > 209.15.13.134.http: Flags [P.], cksum 0xa097 (incorrect -> 0x2c44), seq 1:305, ack 1, win 913, options [nop,nop,TS val 1072179 ecr 283058667], length 304
18:20:36.399489 IP (tos 0x0, ttl 111, id 29138, offset 0, flags [DF], proto TCP (6), length 52)
    209.15.13.134.http > debian.local.60831: Flags [.], cksum 0x79e2 (correct), ack 305, win 260, options [nop,nop,TS val 283058702 ecr 1072179], length 0
18:20:36.726803 IP (tos 0x0, ttl 111, id 29277, offset 0, flags [DF], proto TCP (6), length 1099)
    209.15.13.134.http > debian.local.60831: Flags [FP.], cksum 0x2c10 (correct), seq 1:1048, ack 305, win 260, options [nop,nop,TS val 283058735 ecr 1072179], length 1047
18:20:36.726857 IP (tos 0x0, ttl 64, id 61768, offset 0, flags [DF], proto TCP (6), length 52)
    debian.local.60831 > 209.15.13.134.http: Flags [.], cksum 0x9f67 (incorrect -> 0x71f0), ack 1049, win 1044, options [nop,nop,TS val 1072348 ecr 283058735], length 0
18:20:36.727144 IP (tos 0x0, ttl 64, id 61769, offset 0, flags [DF], proto TCP (6), length 52)
    debian.local.60831 > 209.15.13.134.http: Flags [F.], cksum 0x9f67 (incorrect -> 0x71ef), seq 305, ack 1049, win 1044, options [nop,nop,TS val 1072348 ecr 283058735], length 0
18:20:36.736169 IP (tos 0x0, ttl 64, id 51894, offset 0, flags [DF], proto UDP (17), length 56)
    debian.local.42596 > resolver2.opendns.com.domain: 19914+ A? btdnav.com. (28)
18:20:36.736197 IP (tos 0x0, ttl 64, id 51895, offset 0, flags [DF], proto UDP (17), length 56)
    debian.local.42596 > resolver2.opendns.com.domain: 14142+ AAAA? btdnav.com. (28)
18:20:36.760162 IP (tos 0x0, ttl 54, id 0, offset 0, flags [DF], proto UDP (17), length 72)
    resolver2.opendns.com.domain > debian.local.42596: 19914 1/0/0 btdnav.com. A 209.15.13.136 (44)
18:20:36.760585 IP (tos 0x0, ttl 54, id 0, offset 0, flags [DF], proto UDP (17), length 130)
    resolver2.opendns.com.domain > debian.local.42596: 14142 0/1/0 (102)
18:20:36.768315 IP (tos 0x0, ttl 64, id 53919, offset 0, flags [DF], proto TCP (6), length 60)
    debian.local.59239 > 209.15.13.136.http: Flags [S], cksum 0x9f71 (incorrect -> 0x86cf), seq 365006456, win 14600, options [mss 1460,sackOK,TS val 1072359 ecr 0,nop,wscale 4], length 0
18:20:36.871017 IP (tos 0x0, ttl 111, id 29331, offset 0, flags [DF], proto TCP (6), length 52)
    209.15.13.134.http > debian.local.60831: Flags [.], cksum 0x74f0 (correct), ack 306, win 260, options [nop,nop,TS val 283058750 ecr 1072348], length 0
18:20:36.921577 IP (tos 0x0, ttl 111, id 1704, offset 0, flags [DF], proto TCP (6), length 60)
    209.15.13.136.http > debian.local.59239: Flags [S.], cksum 0x55a9 (correct), seq 2103532740, ack 365006457, win 8192, options [mss 1460,nop,wscale 8,sackOK,TS val 16412409 ecr 1072359], length 0
18:20:36.921645 IP (tos 0x0, ttl 64, id 53920, offset 0, flags [DF], proto TCP (6), length 52)
    debian.local.59239 > 209.15.13.136.http: Flags [.], cksum 0x9f69 (incorrect -> 0xa0bf), ack 1, win 913, options [nop,nop,TS val 1072397 ecr 16412409], length 0
18:20:36.921923 IP (tos 0x0, ttl 64, id 53921, offset 0, flags [DF], proto TCP (6), length 609)
    debian.local.59239 > 209.15.13.136.http: Flags [P.], cksum 0xa196 (incorrect -> 0xa8ab), seq 1:558, ack 1, win 913, options [nop,nop,TS val 1072397 ecr 16412409], length 557
18:20:37.032014 IP6 (hlim 255, next-header UDP (17) payload length: 52) fe80::20e:2eff:fecb:a008.mdns > ff02::fb.mdns: [udp sum ok] 0 PTR (QM)? 134.13.15.209.in-addr.arpa. (44)
18:20:37.032095 IP (tos 0x0, ttl 255, id 32204, offset 0, flags [DF], proto UDP (17), length 72)
    debian.local.mdns > 224.0.0.251.mdns: 0 PTR (QM)? 134.13.15.209.in-addr.arpa. (44)
18:20:37.085878 IP (tos 0x0, ttl 111, id 1767, offset 0, flags [DF], proto TCP (6), length 1500)
    209.15.13.136.http > debian.local.59239: Flags [.], cksum 0x5ada (correct), seq 1:1449, ack 558, win 260, options [nop,nop,TS val 16412425 ecr 1072397], length 1448
18:20:37.085937 IP (tos 0x0, ttl 64, id 53922, offset 0, flags [DF], proto TCP (6), length 52)
    debian.local.59239 > 209.15.13.136.http: Flags [.], cksum 0x9f69 (incorrect -> 0x97fc), ack 1449, win 1094, options [nop,nop,TS val 1072438 ecr 16412425], length 0
18:20:37.087836 IP (tos 0x0, ttl 111, id 1768, offset 0, flags [DF], proto TCP (6), length 1243)
    209.15.13.136.http > debian.local.59239: Flags [P.], cksum 0xd383 (correct), seq 1449:2640, ack 558, win 260, options [nop,nop,TS val 16412425 ecr 1072397], length 1191
18:20:37.087882 IP (tos 0x0, ttl 64, id 53923, offset 0, flags [DF], proto TCP (6), length 52)
    debian.local.59239 > 209.15.13.136.http: Flags [.], cksum 0x9f69 (incorrect -> 0x929f), ack 2640, win 1275, options [nop,nop,TS val 1072439 ecr 16412425], length 0
18:20:37.294826 IP (tos 0x0, ttl 64, id 53924, offset 0, flags [DF], proto TCP (6), length 377)
    debian.local.59239 > 209.15.13.136.http: Flags [P.], cksum 0xa0ae (incorrect -> 0xb278), seq 558:883, ack 2640, win 1275, options [nop,nop,TS val 1072490 ecr 16412425], length 325
18:20:37.455028 IP (tos 0x0, ttl 111, id 1894, offset 0, flags [DF], proto TCP (6), length 1500)
    209.15.13.136.http > debian.local.59239: Flags [.], cksum 0x9029 (correct), seq 2640:4088, ack 883, win 258, options [nop,nop,TS val 16412462 ecr 1072490], length 1448
18:20:37.455088 IP (tos 0x0, ttl 64, id 53925, offset 0, flags [DF], proto TCP (6), length 52)
    debian.local.59239 > 209.15.13.136.http: Flags [.], cksum 0x9f69 (incorrect -> 0x8a7d), ack 4088, win 1456, options [nop,nop,TS val 1072530 ecr 16412462], length 0
18:20:37.455187 IP (tos 0x0, ttl 111, id 1895, offset 0, flags [DF], proto TCP (6), length 155)
    209.15.13.136.http > debian.local.59239: Flags [P.], cksum 0xa6fc (correct), seq 4088:4191, ack 883, win 258, options [nop,nop,TS val 16412462 ecr 1072490], length 103
18:20:40.933517 IP (tos 0x0, ttl 64, id 51899, offset 0, flags [DF], proto UDP (17), length 118)
    debian.local.55944 > resolver2.opendns.com.domain: 39970+ PTR? b.f.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.f.f.ip6.arpa. (90)
18:20:40.958383 IP (tos 0x0, ttl 54, id 0, offset 0, flags [DF], proto UDP (17), length 192)
    resolver2.opendns.com.domain > debian.local.55944: 39970 NXDomain 0/1/0 (164)
18:20:40.958562 IP (tos 0x0, ttl 64, id 51900, offset 0, flags [DF], proto UDP (17), length 118)
    debian.local.38662 > resolver2.opendns.com.domain: 25034+ PTR? 8.0.0.a.b.c.e.f.f.f.e.2.e.0.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa. (90)
18:20:40.983659 IP (tos 0x0, ttl 64, id 51901, offset 0, flags [DF], proto UDP (17), length 70)
    debian.local.53296 > resolver2.opendns.com.domain: 52406+ PTR? 251.0.0.224.in-addr.arpa. (42)
18:20:46.010396 IP (tos 0x0, ttl 64, id 51902, offset 0, flags [DF], proto UDP (17), length 72)
    debian.local.50502 > resolver2.opendns.com.domain: 7263+ PTR? 136.13.15.209.in-addr.arpa. (44)
18:20:46.034561 IP (tos 0x0, ttl 54, id 0, offset 0, flags [DF], proto UDP (17), length 72)
    resolver2.opendns.com.domain > debian.local.50502: 7263 NXDomain 0/0/0 (44)
18:20:46.135112 IP6 (hlim 255, next-header UDP (17) payload length: 52) fe80::20e:2eff:fecb:a008.mdns > ff02::fb.mdns: [udp sum ok] 0 PTR (QM)? 136.13.15.209.in-addr.arpa. (44)
18:20:46.135193 IP (tos 0x0, ttl 255, id 32210, offset 0, flags [DF], proto UDP (17), length 72)
    debian.local.mdns > 224.0.0.251.mdns: 0 PTR (QM)? 136.13.15.209.in-addr.arpa. (44)
18:20:46.226286 IP (tos 0x0, ttl 64, id 51903, offset 0, flags [DF], proto UDP (17), length 62)
    debian.local.56249 > resolver2.opendns.com.domain: 25390+ A? live-winners.com. (34)
18:20:46.226314 IP (tos 0x0, ttl 64, id 51904, offset 0, flags [DF], proto UDP (17), length 62)
    debian.local.56249 > resolver2.opendns.com.domain: 62303+ AAAA? live-winners.com. (34)
18:20:46.250722 IP (tos 0x0, ttl 54, id 0, offset 0, flags [DF], proto UDP (17), length 78)
    resolver2.opendns.com.domain > debian.local.56249: 25390 1/0/0 live-winners.com. A 23.253.180.225 (50)
18:20:46.266115 IP (tos 0x0, ttl 54, id 0, offset 0, flags [DF], proto UDP (17), length 133)
    resolver2.opendns.com.domain > debian.local.56249: 62303 0/1/0 (105)
18:20:46.273182 IP (tos 0x0, ttl 64, id 28651, offset 0, flags [DF], proto TCP (6), length 60)
    debian.local.42192 > 23.253.180.225.http: Flags [S], cksum 0x8db8 (incorrect -> 0x835d), seq 3907979716, win 14600, options [mss 1460,sackOK,TS val 1074735 ecr 0,nop,wscale 4], length 0
18:20:46.397851 IP (tos 0x0, ttl 46, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    23.253.180.225.http > debian.local.42192: Flags [S.], cksum 0xb6f5 (correct), seq 3140595051, ack 3907979717, win 14480, options [mss 1460,sackOK,TS val 1963454244 ecr 1074735,nop,wscale 9], length 0
18:20:46.397916 IP (tos 0x0, ttl 64, id 28652, offset 0, flags [DF], proto TCP (6), length 52)
    debian.local.42192 > 23.253.180.225.http: Flags [.], cksum 0x8db0 (incorrect -> 0x1aa4), ack 1, win 913, options [nop,nop,TS val 1074766 ecr 1963454244], length 0
18:20:46.398113 IP (tos 0x0, ttl 64, id 28653, offset 0, flags [DF], proto TCP (6), length 389)
    debian.local.42192 > 23.253.180.225.http: Flags [P.], cksum 0x8f01 (incorrect -> 0xa224), seq 1:338, ack 1, win 913, options [nop,nop,TS val 1074766 ecr 1963454244], length 337
18:20:51.038360 IP (tos 0x0, ttl 64, id 51914, offset 0, flags [DF], proto UDP (17), length 73)
    debian.local.56841 > resolver2.opendns.com.domain: 21633+ PTR? 225.180.253.23.in-addr.arpa. (45)
18:20:51.152375 IP (tos 0x0, ttl 54, id 0, offset 0, flags [DF], proto UDP (17), length 73)
    resolver2.opendns.com.domain > debian.local.56841: 21633 NXDomain 0/0/0 (45)
18:20:51.253026 IP6 (hlim 255, next-header UDP (17) payload length: 53) fe80::20e:2eff:fecb:a008.mdns > ff02::fb.mdns: [udp sum ok] 0 PTR (QM)? 225.180.253.23.in-addr.arpa. (45)
18:20:51.253106 IP (tos 0x0, ttl 255, id 32213, offset 0, flags [DF], proto UDP (17), length 73)
    debian.local.mdns > 224.0.0.251.mdns: 0 PTR (QM)? 225.180.253.23.in-addr.arpa. (45)
18:20:52.254534 IP6 (hlim 255, next-header UDP (17) payload length: 53) fe80::20e:2eff:fecb:a008.mdns > ff02::fb.mdns: [udp sum ok] 0 PTR (QM)? 225.180.253.23.in-addr.arpa. (45)
18:20:52.254619 IP (tos 0x0, ttl 255, id 32214, offset 0, flags [DF], proto UDP (17), length 73)
    debian.local.mdns > 224.0.0.251.mdns: 0 PTR (QM)? 225.180.253.23.in-addr.arpa. (45)
18:20:52.399609 IP (tos 0x0, ttl 64, id 28655, offset 0, flags [DF], proto TCP (6), length 52)
    debian.local.42192 > 23.253.180.225.http: Flags [F.], cksum 0x8db0 (incorrect -> 0x0dd5), seq 338, ack 1222, win 1094, options [nop,nop,TS val 1076267 ecr 1963454282], length 0
18:20:52.533182 IP (tos 0x0, ttl 46, id 16945, offset 0, flags [DF], proto TCP (6), length 52)
    23.253.180.225.http > debian.local.42192: Flags [F.], cksum 0x0c23 (correct), seq 1222, ack 339, win 31, options [nop,nop,TS val 1963455778 ecr 1076267], length 0
18:20:52.533233 IP (tos 0x0, ttl 64, id 28656, offset 0, flags [DF], proto TCP (6), length 52)
    debian.local.42192 > 23.253.180.225.http: Flags [.], cksum 0x8db0 (incorrect -> 0x07db), ack 1223, win 1094, options [nop,nop,TS val 1076300 ecr 1963455778], length 0
18:20:53.400167 IP (tos 0x0, ttl 64, id 60064, offset 0, flags [DF], proto TCP (6), length 40)
    debian.local.51204 > 107.191.51.151.vultr.com.http: Flags [F.], cksum 0x601c (incorrect -> 0xaa42), seq 2134740321, ack 89428543, win 14600, length 0
18:20:53.533052 IP (tos 0x0, ttl 49, id 5008, offset 0, flags [DF], proto TCP (6), length 227)
    107.191.51.151.vultr.com.http > debian.local.51204: Flags [F.], cksum 0x8f2a (correct), seq 1:188, ack 1, win 14600, length 187
18:20:53.533095 IP (tos 0x0, ttl 64, id 39429, offset 0, flags [DF], proto TCP (6), length 40)
    debian.local.51204 > 107.191.51.151.vultr.com.http: Flags [R], cksum 0x7aea (correct), seq 2134740322, win 0, length 0
18:20:54.256145 IP6 (hlim 255, next-header UDP (17) payload length: 53) fe80::20e:2eff:fecb:a008.mdns > ff02::fb.mdns: [udp sum ok] 0 PTR (QM)? 225.180.253.23.in-addr.arpa. (45)
18:20:54.256224 IP (tos 0x0, ttl 255, id 32215, offset 0, flags [DF], proto UDP (17), length 73)
    debian.local.mdns > 224.0.0.251.mdns: 0 PTR (QM)? 225.180.253.23.in-addr.arpa. (45)
18:20:56.156065 IP (tos 0x0, ttl 64, id 51915, offset 0, flags [DF], proto UDP (17), length 73)
    debian.local.34218 > resolver2.opendns.com.domain: 34325+ PTR? 151.51.191.107.in-addr.arpa. (45)
18:20:56.434779 IP (tos 0x0, ttl 54, id 0, offset 0, flags [DF], proto UDP (17), length 111)
    resolver2.opendns.com.domain > debian.local.34218: 34325 1/0/0 151.51.191.107.in-addr.arpa. PTR 107.191.51.151.vultr.com. (83)
18:20:58.342368 IP (tos 0x0, ttl 49, id 24748, offset 0, flags [DF], proto TCP (6), length 40)
    107.191.51.151.vultr.com.http > debian.local.51201: Flags [F.], cksum 0xde4f (correct), seq 2644418010, ack 2314042657, win 26280, length 0
18:20:58.342622 IP (tos 0x0, ttl 64, id 2436, offset 0, flags [DF], proto TCP (6), length 40)
    debian.local.51201 > 107.191.51.151.vultr.com.http: Flags [F.], cksum 0x601c (incorrect -> 0xa546), seq 1, ack 1, win 40880, length 0
18:20:58.478842 IP (tos 0x0, ttl 49, id 24749, offset 0, flags [DF], proto TCP (6), length 40)
    107.191.51.151.vultr.com.http > debian.local.51201: Flags [.], cksum 0xde4e (correct), ack 2, win 26280, length 0
18:20:59.100995 IP (tos 0x0, ttl 49, id 32361, offset 0, flags [DF], proto TCP (6), length 40)
    107.191.51.151.vultr.com.http > debian.local.51202: Flags [F.], cksum 0x1c33 (correct), seq 3574664031, ack 3021098472, win 35040, length 0
18:20:59.102161 IP (tos 0x0, ttl 64, id 21464, offset 0, flags [DF], proto TCP (6), length 40)
    debian.local.51202 > 107.191.51.151.vultr.com.http: Flags [F.], cksum 0x601c (incorrect -> 0xa512), seq 1, ack 1, win 65535, length 0
18:20:59.237979 IP (tos 0x0, ttl 49, id 32362, offset 0, flags [DF], proto TCP (6), length 40)
    107.191.51.151.vultr.com.http > debian.local.51202: Flags [.], cksum 0x1c32 (correct), ack 2, win 35040, length 0
^C
77 packets captured
335 packets received by filter
258 packets dropped by kernel
root@debian:/home/angel#

par **angelique** » 08 sept. 2014 18:39

httpx://skywalkmedia.tkr.me/FLV_Mplayer3?campaign=RM_FLVplayer3&subcampaign=2645_1609_FR_

httpx://la.flv5133player.com/L00a2001d/en?exe_name=videoplayer&transaction_id=2645_1609_FR_

par **angelique** » 08 sept. 2014 19:11

<!DOCTYPE html>
<html ng-app="Searchnet">
<head><script type="text/javascript">window.NREUM||(NREUM={});NREUM.info = {"beacon":"beacon-6.newrelic.com","errorBeacon:":"bam.nr-data.net","licenseKey":"1d08c2a3cc","applicationID":"2200173","transactionName":"YgADZREFVxVUBhIKXltKJV4XKlwSdgoIF0NaCQ1UEUtqA1QXBQseeQoAVQoKXg==","queueTime":"0","applicationTime":"4","ttGuid":"BAB5490D8D7ACD45","agent":"js-agent.newrelic.com/nr-412.min.js"}</script><script type="text/javascript">window.NREUM||(NREUM={}),__nr_require=function(t,n,e){function r(e){if(!n[e]){var o=n[e]={exports:{}};t[e][0].call(o.exports,function(n){var o=t[e][1][n];return r(o?o:n)},o,o.exports)}return n[e].exports}if("function"==typeof __nr_require)return __nr_require;for(var o=0;o<e.length;o++)r(e[o]);return r}({D5DuLP:[function(t,n){function e(t,n){var e=r[t];return e?e.apply(this,n):(o[t]||(o[t]=[]),void o[t].push(n))}var r={},o={};n.exports=e,e.queues=o,e.handlers=r},{}],handle:[function(t,n){n.exports=t("D5DuLP")},{}],G9z0Bl:[function(t,n){function e(){var t=l.info=NREUM.info;if(t&&t.agent&&t.licenseKey&&t.applicationID&&p&&p.body){l.proto="https"===f.split(":")[0]||t.sslForHttp?"https://":"http://",i("mark",["onload",a()]);var n=p.createElement("script");n.src=l.proto+t.agent,p.body.appendChild(n)}}function r(){"complete"===p.readyState&&o()}function o(){i("mark",["domContent",a()])}function a(){return(new Date).getTime()}var i=t("handle"),u=window,p=u.document,s="addEventListener",c="attachEvent",f=(""+location).split("?")[0],l=n.exports={offset:a(),origin:f,features:[]};p[s]?(p[s]("DOMContentLoaded",o,!1),u[s]("load",e,!1)):(p[c]("onreadystatechange",r),u[c]("onload",e)),i("mark",["firstbyte",a()])},{handle:"D5DuLP"}],loader:[function(t,n){n.exports=t("G9z0Bl")},{}]},{},["G9z0Bl"]);</script>
<meta http-equiv="refresh" content="5;url=http://live-winners.com/go/c/107/4/vars?sid=13456404" />
<title>Please wait while SearchNet loads your results ...</title>
</head>
<body style="background:#fff;">

Redirecting...

<form id="searchForm" action="/Search/Index?utm_source=1506&utm_campaign=AuctionErrorWithInfo&utm_term=Minutes&utm_medium=tichnak" method="post">
<input id="hcv" name="hcv" type="hidden" value="1" />
<input id="q" name="q" type="hidden" value="Minutes" />
<input id="FromLoadingPage" name="FromLoadingPage" type="hidden" value="True" />
</form>

<form id="homeForm" action="/?utm_source=1506&utm_campaign=AuctionErrorWithInfo&utm_term=Minutes&utm_medium=tichnak" method="post">
<input id="hcv" name="hcv" type="hidden" value="1" />
<input id="q" name="q" type="hidden" value="Minutes" />
<input id="FromLoadingPage" name="FromLoadingPage" type="hidden" value="True" />
</form>

<script>
var ce = (navigator.cookieEnabled) ? true : false;
if (typeof navigator.cookieEnabled == "undefined" && !cookieEnabled) { document.cookie = "t"; ce = (document.cookie.indexOf("t") != -1) ? true : false; }
if (ce) {
var version = "4";
if (version == "0") {
var form = document.getElementById("homeForm");
form.submit();
} else {
var form = document.getElementById("searchForm");
form.submit();
}
}
</script>
</body>
</html>

ѠOOT · par **ѠOOT** » 08 sept. 2014 19:43

angelique,

La flemme d'utiliser un navigateur.
Ci-dessus mon script de rejeu via ncat.

J'obtiens une redirection vers http://btdnav.com/click?data=%s&id=%x-%x-%x-%x-%x
Source de la page HTML obtenue.

Code : Tout sélectionner

<!DOCTYPE html>

<html>
<head>
    <title>Redirecting...</title>
    <meta http-equiv="refresh" content="3;url=/Redirect/?d=...">
    <script type="text/javascript">
    <!--
        var hiddenGetter;
        if (document.hidden) {
            hiddenGetter = function() {
                return document.hidden;
            };
        } else {
            var nativeName = "";
            
            if (document.webkitHidden)
                nativeName = "webkitHidden";
            else if (document.mozHidden)
                nativeName = "mozHidden";
            else if (document.oHidden)
                nativeName = "oHidden";
            else if (document.msHidden)
                nativeName = "msHidden";
            
            if (nativeName != "") {
                hiddenGetter = function() {
                    return document[nativeName];
                };
            } else {
                // Workaround to get hasFocus() functionality on 
                // older version of opera.
                if (typeof document.hasFocus === 'undefined') {
                    document.hasFocus = function () {
                        return document.visibilityState == 'visible';
                    };
                }

                // Use hasFocus() if we can't use the document visibility api
                hiddenGetter = function() {
                    return !document.hasFocus();
                };
            }
        }

        var interval = self.setInterval("doBotDetectingBattery()", 2);

        function isNotIFramed() {
            return window.self === window.top; 
        }
    
        function isScreenBigEnough() {
            return screen.width >= 150 && screen.height >= 150;
        }

        function isVisible(element) {
            if (element.offsetWidth === 0 || element.offsetHeight === 0) return false;
            var height = document.documentElement.clientHeight,
                rects = element.getClientRects(),
                on_top = function(r) {
                    var x = (r.left + r.right)/2, y = (r.top + r.bottom)/2;
                    return document.elementFromPoint(x, y) === element;
                };
        
            for (var i = 0, l = rects.length; i < l; i++) { 
                var r = rects[i],
                    in_viewport = r.top > 0 ? r.top <= height : (r.bottom > 0 && r.bottom <= height);
                if (in_viewport && on_top(r)) return true;
            }
            return false;
        }

        function createCookie(name, value, days) {
            var expires;
            if (days) {
                var date = new Date();
                date.setTime(date.getTime() + (days * 24 * 60 * 60 * 1000));
                expires = "; expires=" + date.toGMTString();
            }
            else expires = "";
            document.cookie = name + "=" + value + expires + "; path=/";
        }

        function readCookie(name) {
            var nameEQ = name + "=";
            var ca = document.cookie.split(';');
            for (var i = 0; i < ca.length; i++) {
                var c = ca[i];
                while (c.charAt(0) == ' ') c = c.substring(1, c.length);
                if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length, c.length);
            }
            return null;
        }

        function eraseCookie(name) {
            createCookie(name, "", -1);
        }

        function areCookiesEnabled(name, value) {
            var r = false;
            createCookie(name, value, 1);
            if (readCookie(name) != null) {
                r = true;
                eraseCookie(name);
            }
            return r;
        }

        function doBotDetectingBattery() {
            interval = window.clearInterval(interval);
            
            var fe = document.forms[0].elements;
            fe["cookie"].value = areCookiesEnabled("test930", "123");
            fe["focus"].value = !hiddenGetter();
            fe["notiframed"].value = isNotIFramed();
            fe["screensize"].value = isScreenBigEnough();
            fe["visible"].value = isVisible(document.getElementById("bs-redir-body"));

            document.forms[0].submit();
        }
    // -->
    </script>

</head>
    <body id="bs-redir-body">

        <form name="redirect" method="POST" action="/Redirect/">
            <input type="hidden" name="d" value="..." />
            <input type="hidden" name="cookie" value=""/>
            <input type="hidden" name="focus" value=""/>
            <input type="hidden" name="notiframed" value=""/>
            <input type="hidden" name="screensize" value=""/>
            <input type="hidden" name="visible" value=""/>            

        </form>
        Redirecting...
    </body>

</html>

Redirection vers http://www.searchnet.com/search?v=5
Qui effectuera d'autres redirections après chargement:
→ http://live-winners.com/go/c/107/4/vars?sid=9715840
→ http://vf7.HI5LINKS.com/?&s1=....
→ http://intl.answereducation.eu/?sov=...&hid=...&&nodl=..&redid=..&id=...
Et ceci jusqu'à l'affichage de publicités, etc.. ou propositions de téléchargements.

A postériori pas de technique mystique en vue pour contrecarrer les greffons précités.
Je testerai avec la configuration mentionnée pour vérifier.

par **Malekal_morte** » 08 sept. 2014 21:37

searchnet.... le truc à PUPs !

ѠOOT · par **ѠOOT** » 09 sept. 2014 16:49

Bonjour,

La suite... Les tests démontrent que les redirections sont effectives malgré la présence de NoScript ( voir vidéo ) néanmoins il n'y a pas d'exécution de codes donc tout va bien, les abus sont limités. Ce n'est pas une défaillance du greffon, il s'agit de redirections classiques donc évaluées par NoScript comme légitimes. Ce site utilise cette technique pour maintenir le navigateur dans un état d'activité constant jusqu'à la livraison du contenu final. Des pratiques courantes, les webmestres ne s'en privent pas, ils en raffolent même - logique puisque ce langage le permet - à ma connaissance, il n'y a absolument rien d'illégal tant que les usages sont modérés.

JavaScript bloqué par NoScript, le navigateur ne fera "qu'avancer" de page en page au rythme des redirections. En revanche si l'utilisateur n'a pas de greffons de sécurité alors c'est la porte ouverte à toutes les dérives. Dans l'exemple ci-dessus, le webmestre utilise une méthode POST pour grappiller quelques informations concernant la configuration. Rien de bien sorcier diront certains, oui dans ce cas de figure, méfiez-vous tout de même car rien n'empêche de tomber sur des codes plus intrusifs et virulents, voir totalement agressifs. Pour imager, c'est un peu comme jouer à la roulette russe. Il est plus sage de bloquer puis d'autoriser au compte goutte si besoins.

Alors comment renforcer la sécurité pour définitivement autoriser ou non ces chargements inopinés ? Et bien figurez-vous que les navigateurs Mozilla sont tout à fait en mesure d'empêcher ce type de redirections automatiques vers d'autres pages. Pour cela, vous devez configurer accessibility.blockautorefresh

Les redirections automatiques sont bloquées et un bandeau d'autorisation s'affiche.

Soyez malin, surfez serein.

chef · par **chef** » 09 sept. 2014 17:02

bonjour,
merci ѠOOT pour tes explications!
question quel sont les risques pour debian (linux)sur ce coup ?

par **angelique** » 09 sept. 2014 18:38

Good Job ѠꙨꙨT \o_

Yep accessibility.blockautorefresh sur true et Iceѡeasel fait comme tu dis ;) même pour répondre ici

.... sur un même site ^^

Pas de risque Chef ;)

xtrem47 · par **xtrem47** » 13 sept. 2014 11:45

Salut,

La valeur accessibility.blockautorefresh peut aussi être changée dans les menu des options de Firefox : Avancé -> Général -> Prévenir lorsque les sites web tentent de rediriger ou de recharger la page.

par **Malekal_morte** » 13 sept. 2014 18:26

interressant : http://kb.mozillazine.org/Accessibility ... utorefresh

Web pages (and web servers) can ask a browser to automatically refresh a page after a given timeout by including the HTML element <meta http-equiv="refresh"> or by sending a Refresh: HTTP header. This can be helpful (as in the case of a webpage whose content is updated constantly) but it also can be irritating.

Automatic refreshes also have accessibility implications; sudden replacement of content can be disorienting. The UAAG recommends giving users the option to disable/ignore automatic page refreshes for this reason. This preference allows users to block automatic page refreshing, instead displaying a message allowing them to manually refresh the page.

Me semble avoir vu des malvertising (Browlock etc) utiliser ce genre de procédés.

Malekal.com forum

fake player||fake mise à jour ...

fake player||fake mise à jour ...

Re: fake player

Re: fake player||fake mise à jour ...

Re: fake player||fake mise à jour ...

Re: fake player||fake mise à jour ...

Re: fake player||fake mise à jour ...

Re: fake player||fake mise à jour ...

Re: fake player||fake mise à jour ...

Re: fake player||fake mise à jour ...

Re: fake player||fake mise à jour ...

Re: fake player||fake mise à jour ...

Re: fake player||fake mise à jour ...

Re: fake player||fake mise à jour ...

Re: fake player||fake mise à jour ...

Re: fake player||fake mise à jour ...