Internal LAN ip being leaked
|
Nov. 23, 2004, 04:32 PM
Post: #1
|
|||
|
|||
my LAN IP being leaked over at http://www.auditmypc.com home page
my config is this... [PC]---LAN port--->[ADSL modem-*-Router]--->Internet WHY oh WHY can anyone read my LAN ip? Is it because of Stateful Packet inspection (which my router employs - with NAT + firewall- and I believe its mentioned on this site that SPI interferes and releases IP) the site says they don't use a script to accomplish internal ip grabbing.... I found these elements "lurking" during the page loading, and indeed once it had fully loaded... This page--> http://whatsmyip.auditmypc.com/ elements: http://whatsmyip.auditmypc.com/auditmypc.class http://whatsmyip.auditmypc.com/adt.asp --->embedded as iFrame http://whatsmyip.auditmypc.com/audit.asp...p_was_here Can proxo help here? Is it a browser thing? I'm a [beatdown] konfoosed user now... <span style='font-size:8pt;line-height:100%'><i><span style='color:#0000FF'>Projekt</span> </span><span style='color:#FF0000'>D</span><span style='color:#008200'>F</span><span style='color:#8449a5'>S</span></i> : <b><span style='color:#0000FF'>projekt</span><span style='color:#FF0000'>d</span><span style='color:#008200'>f</span><span style='color:#8449a5'>s</span></b>[at]<span style='color:BLUE'>g</span><span style='color:RED'>m</span><span style='color:#ce9a31'>a</span><span style='color:BLUE'>i</span><span style='color:#008200'>l</span><span style='color:BLACK'>.</span><span style='color:#8449a5'>com </span><span style='color:BLACK'>: <u>What</u> is it?</span><br>It's ONLINE <span style='color:#FF0000'><span style='font-size:10pt;line-height:100%'>NOW</span></span>!!!pm me for url. max 250 users. by invite only please. |
|||
Nov. 23, 2004, 09:08 PM
Post: #2
|
|||
|
|||
The script to get your internal LAN IP is (encoded in Unicode Hex, but I've converted it to ASCII):
Code: <script type="text/javascript">document.write('<iframe src="/adt.asp" width="200" height="80" marginwidth="1" marginheight="1" align="top" scrolling="no" frameborder="0"></iframe>')</script> adt.asp contains: Code: <script type="text/javascript">document.write('<applet width="1" height="1" code="auditmypc.class"> In conclusion, this site used encrypted Script tags to load the Class file. I've written the following filter: Code: [Patterns] This will not remove any normal [Applets], but will remove the "code="*.class"" NESTED inside a Javascript tag, encrypted or not. Isn't it suspicious to have an applet encrypted in a Javascript? |
|||
Nov. 24, 2004, 06:30 AM
Post: #3
|
|||
|
|||
its not working to block tha site over here... dunno why.
<span style='font-size:8pt;line-height:100%'><i><span style='color:#0000FF'>Projekt</span> </span><span style='color:#FF0000'>D</span><span style='color:#008200'>F</span><span style='color:#8449a5'>S</span></i> : <b><span style='color:#0000FF'>projekt</span><span style='color:#FF0000'>d</span><span style='color:#008200'>f</span><span style='color:#8449a5'>s</span></b>[at]<span style='color:BLUE'>g</span><span style='color:RED'>m</span><span style='color:#ce9a31'>a</span><span style='color:BLUE'>i</span><span style='color:#008200'>l</span><span style='color:BLACK'>.</span><span style='color:#8449a5'>com </span><span style='color:BLACK'>: <u>What</u> is it?</span><br>It's ONLINE <span style='color:#FF0000'><span style='font-size:10pt;line-height:100%'>NOW</span></span>!!!pm me for url. max 250 users. by invite only please. |
|||
Nov. 24, 2004, 07:16 AM
Post: #4
|
|||
|
|||
Code: Match = "*(%63%6f%64%65%3d%22*%22" |
|||
Nov. 24, 2004, 08:56 PM
Post: #5
|
|||
|
|||
It's Unicode encoded.
If decrypted, \u0063 is %63 in hex, which is "c", the three lines are identical to: code="*.class" It's not working no13? Siamesecat, does it seem to work? |
|||
Nov. 24, 2004, 10:00 PM
Post: #6
|
|||
|
|||
Kye-U Wrote:In conclusion, this site used encrypted Script tags to load the Class file. I've written the following filter:Kye-U, thank you very much -- works just great! BTW, its important to clear the cache otherwise it will seem as if the filter is not working. Once the cache has been cleared subsequent calls get properly trapped. Very nice work Kye-U. |
|||
Nov. 24, 2004, 10:15 PM
Post: #7
|
|||
|
|||
Thanks Mozerd
I think that this is a very "specific" filter, and I plan to revise it and post a more general filter |
|||
Nov. 25, 2004, 12:50 PM
Post: #8
|
|||
|
|||
Its working after I destroyed the cookies and cache (needed Kerio to help out with cookies)
<span style='font-size:8pt;line-height:100%'><i><span style='color:#0000FF'>Projekt</span> </span><span style='color:#FF0000'>D</span><span style='color:#008200'>F</span><span style='color:#8449a5'>S</span></i> : <b><span style='color:#0000FF'>projekt</span><span style='color:#FF0000'>d</span><span style='color:#008200'>f</span><span style='color:#8449a5'>s</span></b>[at]<span style='color:BLUE'>g</span><span style='color:RED'>m</span><span style='color:#ce9a31'>a</span><span style='color:BLUE'>i</span><span style='color:#008200'>l</span><span style='color:BLACK'>.</span><span style='color:#8449a5'>com </span><span style='color:BLACK'>: <u>What</u> is it?</span><br>It's ONLINE <span style='color:#FF0000'><span style='font-size:10pt;line-height:100%'>NOW</span></span>!!!pm me for url. max 250 users. by invite only please. |
|||
« Next Oldest | Next Newest »
|