The case of the mysterious hostname
posted by John Roberts on February 9th, 2007 in PhishTank, Community, Voting, Verifying phishes, Moderators, Hosts
The following post was written by funchords 
. If you don’t recognize the username, check the stats page. Without further ado…
Question: What do the following web addresses have in common?
Answer: Don’t look here — try them out and see! (Caveat: In most browsers and operating systems — all four URLs will work. If your computer had trouble with a link, see “Something Not Working” below to understand why.)
So why did that happen?
We websurfers are trained to think of Internet sites as Double-U, Double-U, Double-U, Dot, Google, Dot, Com — because that is easier to remember than http://1208941928/. The network translates those names into numbers, so we don’t have to. But, every computer accessible on the Internet has a long and unique number as an address. It’s like a telephone number — uniquely yours.
The hostnames in the four web addresses at the top of this page are all different ways of expressing the same Internet address number.
Just as websurfers use a method that is easy to remember, programmers do, too. If they’re working in a system or programming language that prefers base-16 or hexadecimal numbers, they’re likely to express a 3 like 0×3 and a 12 like 0xC. An octal system would likely replace those with base-8 numbers, expressed as 03 and 014.
Why do this, when the rest of the world speaks in base-10 (decimal)? You’ll see in a moment — multiplication and division are much easier when you’re speaking the same language as the system.
The third example at the top of the page begins with 0×42, which is a hexadecimal number (66 in decimal). The next segment of example 3 is 0207, an octal number equal to 135. But what about that third number?
The “dots” in the address are meant for organization. Twenty-five years ago, our internet founders segmented the IP space into 255 (0xFF) segments. Those segments were split between five address types — large, medium, small, private, and special-use/future. The number before the first dot indicates this segment.
Knowing this, you can begin to do the math to make the above conversions.
If there is a first dot, the number before it is multiplied by 0×1000000 (or 16777216 to us Base-10 users). The number after it is not multiplied. This would work just fine for a very large organization, they would have their unique organizational number and over 16 million IP addresses that they could use on the Internet.
A second dot would help mid-size organizations — the first two segments would be assigned to the business and the final segment was theirs to divide as they pleased. And so on, for smaller businesses and the fourth segment. That sounded good back in the early 1980s, and it worked for a while. But, more importantly for our topic, it set the stage for how IP addressing works.
Let’s untwist our 4th example. 0102 is the octal equal to 66. This means that http://66.8857679/ should work? Does it? So we multiply that 66 by 16777216, and we get 1107296256. We add the last half of example 4 to that. 1107296256 plus 8857679 is 1116153935. That number is hard to remember, but it is the same number we tried in Example 2, above! So, the unique network address to PhishTank is 1116153935!
If there are two or three dots, the first number is multiplied by 0×1000000, the second by 0×10000, and the last is not multiplied. If there are four segments, the third segment is multiplied by 0×100.
Remember that the dots are there for organization — for human convenience. Computers do not need them (as we have shown here).
Now you can turn any dotted decimal (what most would call “normal”) IP address into its actual single-integer address, and back again! Reverse the process using division…
| 1116153935 ÷ 16777216 (0×1000000) = | 66, with a remainder of 8857679 |
| 8857679 ÷ 65536 (0×10000) = | 135, with a remainder of 10319 |
| 10319 ÷ 256 (0×100) = | 40, with a remainder of 79 |
| 79 ÷ 1 (0×1) = | 79 |
… and that leaves us back at 66.135.40.79, the dotted-decimal IP address that we used in Example 1.
Something not working, or working differently? In twenty-five years, programmers and administrators have grown accustomed to the four-segment dotted-decimal IP addresses, even in the largest organizations. While most network software still accepts these other forms of an address, some do not.
Although these forms of addressing are valid, almost nobody is used to them. Spammers and Phishing Fraudsters are taking advantage of this. They attempt to get around detection by changing the IP address into something other than a dotted-decimal form. It also tends to make a Phishing URL more legitimate. Here are some examples:
- Submission #44124: http://0×4231ddb2/www.amazon.com/login/exec.php?cmd=sign-in
- Submission #48434: http://0xd2.0xf3.0xe9.0×22/www.paypal.com/
- Submission #91296: http://3630742891/cgi-bin/webscr_cmd_login-submit/
So when you see such an address, don’t panic. Know that the address is a number, and not a name that can be resolved in DNS. Submit the Phishing Site to the PhishTank “As-Is,” using the same style address that the Phisher put in his spam email. Then, if you want, deconstruct the dotted decimal IP address and submit the site using the more “normal” form. Doing this will help remove some of the confusion for verifiers, down-stream users, and others who aren’t as smart as you!
Isn’t that cool?
Like to write a post for PhishTank? Let us know.
Leave a response below, or send a trackback from your own site.
DougieLawson
How do you cater for the virtual hosts? See http://httpd.apache.org/docs/2.0/vhosts/
If you visit my server http://194.105.mmm.nn, http://194-105-mmm-nn.myisp.co.xx or you visit http://www.swiftys.foo.xx you’ll arrive on the SuSE 9.3 Linux box that runs under the desk in the office behind my garage. What you won’t get is the same content.
That’s because my Apache server has more than one virtual host defined in the httpd.conf file.
In the case of your examples
1. http://66.135.40.79/
2. http://1116153935/
3. http://0×42.0207.10319/
4. http://0102.8857679/
5. http://66.8857679/
http://www.phishtank.com doesn’t use that feature so you arrive at the same page. The same may not be true of the site you arrive on from a link in a phishing email.
As with most scams, security exposures, id theft and internet fraud once we develop a technique to combat the scammer/phisher/fraudster they will change their methods to utilise the latest “new” gizmo. For example, look how much spam email, currently, has embedded GIF graphics. The spam then morphed into animated GIF graphics with a random first frame. [Note: if you want to send an image to me use JPG or PNG else you’ll be filtered.]
— posted by DougieLawson on February 9th, 2007 at 9:23 pm
funchords
I don’t cater for the virtual hosts (although some of them can be addressed by IP while using ~accountname in the path part of a URL). I’m not suggesting this as a solution to any problem, other than understanding that all of these different-looking examples are simply IP addresses.
Not so funny story, though, about virtual hosts.
A shared-server webhost was the unfortunate recipient of Phish Site, right off the root directory of the webserver. The phishing site was http://(ip address withheld)/cgi_bin/webscr/update.php. I sent the admin a note, telling him of the site.
The response:
Unfortunitely there is nothing we can do with the information provided
and since there is 200+ domains hosted on that specific server it
would take us days to identify the site.
If you are able to find a domain name for the site please send us back
an email and it will be taken care of ASAP.
Regards,
(Host) Support
sales@(Host)
OH SURE! We’ll just sit by and let people get ripped off because you don’t know how to control your server. I suggested that he call someone with a clue, or unplug it, but that leaving it online was unacceptable.
— posted by funchords on February 10th, 2007 at 7:10 am
volXPunk
“…and others who aren’t as smart as you!”
Wow
Ich glaub der Rüffel ging auch an mich. Das ist mehr Mathe als ich mir jemals traeumen liess, aber es funktioniert echt, wenigstens um die Community glauben zu machen eine legitime Seite sei ein Phish. Hier stehen viele legitime Seiten
zur Abstimmung und einige sind schwer zu erkennen:
http://www.phishtank.com/phish_detail.php?phish_id=98035 ( man beachte den user phishtank )
http://www.phishtank.com/phish_detail.php?phish_id=97332
http://www.phishtank.com/phish_detail.php?phish_id=95658
http://www.phishtank.com/phish_detail.php?phish_id=95646
Nur wenn das schwierig war, was werden wir machen wenn die Phisher es noch schwieriger machen z.B. wenn eine URL nicht
mehr nur zu einem Server aufloest?
I believe i was snubbed here too. This is more math than i’ve ever dreamed of, but it really works, at least to make the community believe a legit site is a phish. Here are a lot of legit sites to vote on and some are difficult to recognize,
but if these were difficult what are we gonna do if the phishers make it even more difficult i.e. if one URL resolves to
not only one server?
http://www.phishtank.com/phish_detail.php?phish_id=99141
pclinux@terra:~$ host isaacxcapitallxz.us
isaacxcapitallxz.us has address 68.142.212.138
isaacxcapitallxz.us has address 68.142.212.139
isaacxcapitallxz.us has address 68.142.212.140
isaacxcapitallxz.us has address 68.142.212.141
isaacxcapitallxz.us has address 68.142.212.117
isaacxcapitallxz.us has address 68.142.212.118
isaacxcapitallxz.us mail is handled by 20 mx1.biz.mail.yahoo.com.
isaacxcapitallxz.us mail is handled by 30 mx5.biz.mail.yahoo.com.
Nixusers have a clear advantage. I always told myself, i quit, the day the phish is moved to the botnets, but now i feel
this game is more exciting than any i have ever played before; including “upl***”. Hmm. We don’t want any Ads here,
do we?
— posted by volXPunk on February 10th, 2007 at 1:33 pm
moike
The shortcut? ping {obfuscated IP address}
converts it to normal dotted decimal.
— posted by moike on February 16th, 2007 at 1:51 am
Sockeye
I was initially excited about this site (phishtank.com) but now realize it is a waste of time to post phishes here.
If you are like us and only post a few a day, they will all get lost in the 100’s of phishes posted (it seems constantly) by users like “funchords”, and never get verified.
Good concept…bad planning.
GB.
— posted by Sockeye on February 21st, 2007 at 11:56 pm
k8jsl
Another very useful tool is on this site http://www.dnsstuff.com/, scroll down to the URL DEOBFUSCATOR, works like a charm, and better yet no math involved
— posted by k8jsl on February 26th, 2007 at 10:26 am
John Nagle
There’s a related problem. What’s a URL for PhishTank purposes? I’ve
been trying a few things.
Suppose “www.example.com/bogus.html” is in the PhishTank database. What related URLs will bring up that entry?
“www.example.com” won’t.
“www.example.com/bogus2.html” won’t.
“www.example.com/bogus2.html?dummy=”123456″ won’t.
Try it; pick some URL for a verified phish and make minor mods to it.
This suggests that phishers who use a different URL in every e-mail can escape PhishTank.
Some thought has to be given to “what’s a URL?”. This is non-trivial. It’s tempting to blacklist the whole domain, but for some domains (hosting sites, mostly) that has too much collateral damage.
Ideas?
— posted by John Nagle on March 6th, 2007 at 7:22 am
Martin Cleaver
It’s clear that following IP addresses (hex or otherwise) should be an option in the browser. In general, only developers need to use this. System admins might want to allow a couple of variations.
What is for sure is that for the general population, if they’ve ended up on an IP address there is something weird going on.
Let’s make the browser check with the user that they really want to address by IP.
— posted by Martin Cleaver on April 14th, 2007 at 7:42 pm