Post Reply 
Internal LAN ip being leaked
Nov. 23, 2004, 04:32 PM
Post: #1
 
my LAN IP being leaked over at http://www.auditmypc.com home page
my config is this...
[PC]---LAN port--->[ADSL modem-*-Router]--->Internet
WHY oh WHY can anyone read my LAN ip? Is it because of Stateful Packet inspection (which my router employs - with NAT + firewall- and I believe its mentioned on this site that SPI interferes and releases IP)
the site says they don't use a script to accomplish internal ip grabbing....
I found these elements "lurking" during the page loading, and indeed once it had fully loaded...
This page--> http://whatsmyip.auditmypc.com/
elements:
http://whatsmyip.auditmypc.com/auditmypc.class
http://whatsmyip.auditmypc.com/adt.asp --->embedded as iFrame
http://whatsmyip.auditmypc.com/audit.asp...p_was_here

Can proxo help here? Is it a browser thing? I'm a [beatdown] konfoosed user now...

<span style='font-size:8pt;line-height:100%'><i><span style='color:#0000FF'>Projekt</span> </span><span style='color:#FF0000'>D</span><span style='color:#008200'>F</span><span style='color:#8449a5'>S</span></i> : <b><span style='color:#0000FF'>projekt</span><span style='color:#FF0000'>d</span><span style='color:#008200'>f</span><span style='color:#8449a5'>s</span></b>[at]<span style='color:BLUE'>g</span><span style='color:RED'>m</span><span style='color:#ce9a31'>a</span><span style='color:BLUE'>i</span><span style='color:#008200'>l</span><span style='color:BLACK'>.</span><span style='color:#8449a5'>com </span><span style='color:BLACK'>: <u>What</u> is it?</span><br>It&#39;s ONLINE <span style='color:#FF0000'><span style='font-size:10pt;line-height:100%'>NOW</span></span>&#33;&#33;&#33;pm me for url. max 250 users. by invite only please.
Add Thank You Quote this message in a reply
Nov. 23, 2004, 09:08 PM
Post: #2
 
The script to get your internal LAN IP is (encoded in Unicode Hex, but I've converted it to ASCII):

Code:
<script type="text/javascript">document.write('<iframe src="/adt.asp" width="200" height="80" marginwidth="1" marginheight="1" align="top" scrolling="no" frameborder="0"></iframe>')</script>

adt.asp contains:

Code:
<script type="text/javascript">document.write('<applet width="1" height="1" code="auditmypc.class">
</applet>')</script>

In conclusion, this site used encrypted Script tags to load the Class file. I've written the following filter:

Code:
[Patterns]
Name = "Javascript: Remove ".class""
Active = TRUE
URL = "($TYPE(htm)|$TYPE(js)|$TYPE(oth))"
Bounds = "$NEST(<script,</script>)"
Limit = 2048
Match = "*(%63%6f%64%65%3d%22*%22"
"|\\u0(0|)63\\u0(0|)6f\\u0(0|)64\\u0(0|)65\\u0(0|)3d\\u0(0|)22*\\u0(0|)22"
"|code=$AV(*.class))*"

This will not remove any normal [Applets], but will remove the "code="*.class"" NESTED inside a Javascript tag, encrypted or not. Isn't it suspicious to have an applet encrypted in a Javascript? Wink
Visit this user's website
Add Thank You Quote this message in a reply
Nov. 24, 2004, 06:30 AM
Post: #3
 
its not working to block tha site over here... dunno why.

<span style='font-size:8pt;line-height:100%'><i><span style='color:#0000FF'>Projekt</span> </span><span style='color:#FF0000'>D</span><span style='color:#008200'>F</span><span style='color:#8449a5'>S</span></i> : <b><span style='color:#0000FF'>projekt</span><span style='color:#FF0000'>d</span><span style='color:#008200'>f</span><span style='color:#8449a5'>s</span></b>[at]<span style='color:BLUE'>g</span><span style='color:RED'>m</span><span style='color:#ce9a31'>a</span><span style='color:BLUE'>i</span><span style='color:#008200'>l</span><span style='color:BLACK'>.</span><span style='color:#8449a5'>com </span><span style='color:BLACK'>: <u>What</u> is it?</span><br>It&#39;s ONLINE <span style='color:#FF0000'><span style='font-size:10pt;line-height:100%'>NOW</span></span>&#33;&#33;&#33;pm me for url. max 250 users. by invite only please.
Add Thank You Quote this message in a reply
Nov. 24, 2004, 07:16 AM
Post: #4
 
Code:
Match = "*(%63%6f%64%65%3d%22*%22"
       "|\\u0(0|)63\\u0(0|)6f\\u0(0|)64\\u0(0|)65\\u0(0|)3d\\u0(0|)22*\\u0(0|)22"
       "|code=$AV(*.class))*"
In that match, why would the code be "\u0" or "\u00", followed by the ASCII code for the letter of the word "code"? What does the \u00 do?
Add Thank You Quote this message in a reply
Nov. 24, 2004, 08:56 PM
Post: #5
 
It's Unicode encoded.

If decrypted, \u0063 is %63 in hex, which is "c", the three lines are identical to:

code="*.class"

It's not working no13? Siamesecat, does it seem to work? Smile!
Visit this user's website
Add Thank You Quote this message in a reply
Nov. 24, 2004, 10:00 PM
Post: #6
 
Kye-U Wrote:In conclusion, this site used encrypted Script tags to load the Class file. I've written the following filter:
Kye-U, thank you very much -- works just great!

BTW, its important to clear the cache otherwise it will seem as if the filter is not working. Once the cache has been cleared subsequent calls get properly trapped.

Very nice work Kye-U.
Add Thank You Quote this message in a reply
Nov. 24, 2004, 10:15 PM
Post: #7
 
Thanks Mozerd Eyes Closed Smile

I think that this is a very "specific" filter, and I plan to revise it and post a more general filter Wink
Visit this user's website
Add Thank You Quote this message in a reply
Nov. 25, 2004, 12:50 PM
Post: #8
 
Its working after I destroyed the cookies and cache (needed Kerio to help out with cookies)

<span style='font-size:8pt;line-height:100%'><i><span style='color:#0000FF'>Projekt</span> </span><span style='color:#FF0000'>D</span><span style='color:#008200'>F</span><span style='color:#8449a5'>S</span></i> : <b><span style='color:#0000FF'>projekt</span><span style='color:#FF0000'>d</span><span style='color:#008200'>f</span><span style='color:#8449a5'>s</span></b>[at]<span style='color:BLUE'>g</span><span style='color:RED'>m</span><span style='color:#ce9a31'>a</span><span style='color:BLUE'>i</span><span style='color:#008200'>l</span><span style='color:BLACK'>.</span><span style='color:#8449a5'>com </span><span style='color:BLACK'>: <u>What</u> is it?</span><br>It&#39;s ONLINE <span style='color:#FF0000'><span style='font-size:10pt;line-height:100%'>NOW</span></span>&#33;&#33;&#33;pm me for url. max 250 users. by invite only please.
Add Thank You Quote this message in a reply
Post Reply 


Forum Jump: