Which hack is this?
Gerald Combs
gerald at ethereal.com
Sat Dec 7 17:52:46 CST 2002
On Sat, 7 Dec 2002, Hanasaki JiJi wrote:
> Any thoughts on how to decode the below and determine what it was trying
> to send out?
>
> squid[5383]: urlParse: Illegal character in hostname
> '%77ww.o%6e%6cine%2du%70d%61%74e-c%65%6e%74%65%72%2ec%6fm'
RFC 1738 describes how URLs are formatted. Section 2.2 says:
"In addition, octets may be encoded by a character triplet consisting
of the character "%" followed by the two hexadecimal digits (from
"0123456789ABCDEF") which forming the hexadecimal value of the octet.
(The characters "abcdef" may also be used in hexadecimal encodings.)"
Normally, this is done to escape-out characters that you can't normally
put in a URL, e.g. if your path has a space character it will usually be
replaced with "%20". However, spammers, virus writers and people trying
to break into and out of firewalls and proxy servers often escape out
normal, printable characters to try to fool software that would otherwise
block what they're trying to do.
Using the ASCII chart generated by "man ascii" the hostname can be
manually decoded into "www.online-center.com", which apparently hosts
a floppy-based Linux distribution called Minux.
> --
> = Management is doing things right; leadership is doing the =
> = right things. - Peter Drucker =
> =_______________________________________________________________=
> = http://www.sun.com/service/sunps/jdc/javacenter.pdf =
> = www.sun.com | www.javasoft.com | http://wwws.sun.com/sunone =
>
>
>
>
More information about the Kclug
mailing list