lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <21ae1b060603141727y559f4b7du@mail.gmail.com>
Date: Wed Mar 15 01:28:12 2006
From: abryson at bytefocus.com (Alice Bryson)
Subject: strange domain name in phishing email

hi there
   It is very strange thing. I have done the following tries.

trying                                 result
http://172.21.12.250            success
http://2887060730               failed
http://2887060730/              failed
telent 2887060730 80          failed
ping 2887060730                success
http://1406379699(phishing web site mentioned by Jianqiang Xin )      success
http://1406379699/(phishing web site mentioned by Jianqiang Xin )      success

Could anyone give me some idea?
Thanks.

2006/3/14, Michael Holstein <michael.holstein@...ohio.edu>:
> > Octal with eights in it?? As mentioned, it works works fine with
> > IE6 if you remove the final /
>
> No. it was decimal.
>
> FWIW, here's a quickie way to convert between the 3
> (hex,decimal,dottedquad) -- all of which work in URLs.
>
> Also .. the security zone bypass trick I mentioned earlier is
> accomplished by doing \\(decimalIP) in a link within HTML. IE used to
> treat that as "trusted sites" and would automatically submit credentials
> if requested by the remote side.
>
> Cheers,
>
> Michael Holstein CISSP GCIA
> Cleveland State University
>
> --snip--
>
> #!/usr/bin/perl
> # Perl script to convert between numeric and dotted quad IPs.
> # credit to Paul Gregg for this (found on Google somewhere)
> while (<STDIN>) {
>   chomp; $input = $_;
>   if (/\./) {
>     ($a, $b, $c, $d) = split(/\./);
>     $decimal = $d + ($c * 256) + ($b * 256**2) + ($a * 256**3);
>   } else {
>     $decimal = $_;
>     $d = $_ % 256; $_ -= $d; $_ /= 256;
>     $c = $_ % 256; $_ -= $c; $_ /= 256;
>     $b = $_ % 256; $_ -= $b; $_ /= 256;
>     $a = $_;
>   }
>
>   if ( ($a>255) || ($b>255) || ($c>255) || ($d>255) ) {
>     print "$0: Invalid input: $input\n";
>   } else {
>     printf ("Address: %d.%d.%d.%d is %u  (Hex:%02x%02x%02x%02x)\n",
>  $a,$b,$c,$d, $decimal,$a,$b,$c,$d);
>   }
> }
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>


--
Homepage:http://www.lwang.org
We collect spam for research at:
mailto:abryson@...efocus.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ