Skip to the Main Content

Note:These pages make extensive use of the latest XHTML and CSS Standards. They ought to look great in any standards-compliant modern browser. Unfortunately, they will probably look horrible in older browsers, like Netscape 4.x and IE 4.x. Moreover, many posts use MathML, which is, currently only supported in Mozilla. My best suggestion (and you will thank me when surfing an ever-increasing number of sites on the web which have been crafted to use the new standards) is to upgrade to the latest version of your browser. If that's not possible, consider moving to the Standards-compliant and open-source Mozilla browser.

December 7, 2003

Trojan Horse Referer Spam

If you run a website, you may have noticed some “unlikely” entries in your Referer logs, from what are apparently porn sites hoping to appear in your Referer listings, on the off-chance that you publish those somewhere on your website.

What I didn’t realize is that these are apparently being generated by Trojan horses running on some unsuspecting schmoe’s Windoze machine.

Here’s one who’s been visiting me a lot recently. A typical evening’s visit looks like:

bu-wcs2-sand.nipr.mil - - [05/Dec/2003:18:03:52 -0600] "GET /~distler/blog/images/bigthinker.jpg HTTP/1.0" 200 1443 "-" "Mozilla/3.01 (compatible;)"
bu-wcs2-sand.nipr.mil - - [05/Dec/2003:18:03:52 -0600] "GET /~distler/blog/archives/000064.html HTTP/1.0" 200 8793 "http://www.busty2.com/?big_tits" "Mozilla/4.0 (compatible; MSIE 5.5)"
bu-wcs2-sand.nipr.mil - - [05/Dec/2003:18:03:52 -0600] "GET /~distler/blog/ie.js HTTP/1.0" 200 2069 "-" "Mozilla/3.01 (compatible;)"
bu-wcs2-sand.nipr.mil - - [05/Dec/2003:20:44:23 -0600] "GET /~distler/blog/archives/000064.html HTTP/1.0" 200 8793 "http://www.transsexualpalace.com/?trannies" "Mozilla/4.0 (compatible; MSIE 5.5)"
bu-wcs2-sand.nipr.mil - - [05/Dec/2003:20:44:23 -0600] "GET /~distler/blog/images/bigthinker.jpg HTTP/1.0" 200 1443 "-" "Mozilla/3.01 (compatible;)"
bu-wcs2-sand.nipr.mil - - [05/Dec/2003:20:47:01 -0600] "GET /~distler/blog/archives/000165.html HTTP/1.0" 200 19720 "http://www.transsexualpalace.com/?trannies" "Mozilla/4.0 (compatible; MSIE 5.5)"
bu-wcs2-sand.nipr.mil - - [05/Dec/2003:20:47:01 -0600] "GET /~distler/blog/images/MathML.png HTTP/1.0" 200 3238 "-" "Mozilla/3.01 (compatible;)"

Note the different User-Agent and bogus Referer string when the 'bot downloads a token image or javascript file in an attempt to look more “human”.

nipr.mil is the US Military’s web proxy, so we can’t exactly dash off an email of enquiry, but I’m gonna assume that no one is deliberately running a Porno Referer Spambot on a DOD computer. That pretty much leave the Trojan Horse explanation.

Which begs the obvious question: if you’re gonna go to the trouble of planting a Trojan Horse on a milnet computer, isn’t Referer Spam kind of a low-stakes objective?

Posted by distler at December 7, 2003 12:29 AM

TrackBack URL for this Entry:   http://golem.ph.utexas.edu/cgi-bin/MT-3.0/dxy-tb.fcgi/259

0 Comments & 0 Trackbacks

Post a New Comment