---

the basic concept of the "web bug" is this, (i did not coin the name web bug, i saw the name in some recent stupid zdnet story, but the technique is as old as HTML) if you put an <img src=""> anywhere in an html page or html email, that user's browser is going to make a request for whatever is in the <img src=""> tag. if the src="http://x.x.x.x/something.cfm" you can write whatever you want in the cfm file to do reverse dns lookup (i recommend the free cfx_nslookup tag) and log that data. it's the same technique used for your standard "counter.cgi" which performs text file process and then spits back an image representing the number of hits. you can spit back a transparent gif or an ad banner and nobody's the wiser.

unless of course they check your source and it's pointing to "spyonthatbastard.cfm" etc. that's why when i do this, i use something that looks like an ad banner service rather than a monitoring service. make your url innocuous or otherwise unsuspicious.

there's another technique to cloak ip addresses using a straight decimal representation of the four byte code. i'll post a page for that one later.

here's my simple ad banner web bug that i wrote just for the purpose of grabbing these guys' ip address. this version returned an neoplanet banner gif. you'll need cfx_nslookup installed on your machine if you want it to do the reverse dns lookup. also, you'll want to change the email notification address to something else.

<cftry> <cfx_nslookup iphost="#CGI.Remote_Addr#"> <cfcatch> <cfset nslookuphost="cfx_nslookup not installed"> </cfcatch> </cftry> <cfparam name="url.id" default="NO_ID"> <cffile action="APPEND" file="#expandpath('log.txt')#" output="#CGI.Remote_Addr##chr(9)##nslookuphost##chr(9)##dateformat(now(),"dd/mm/yyyy ")##timeformat(now(),"HH:mm:ss")##chr(9)##url.id##chr(9)##cgi.http_referer#" addnewline="Yes">

<cfmail to="you@yourisp.com" from="you@yourisp.com" subject="the ad banner speaks...">

#CGI.remote_addr##chr(9)##nslookuphost##chr(9)##dateformat(now(),"dd/mm/yyyy ")##timeformat(now(),"HH:mm:ss")##chr(9)##url.id##chr(9)##cgi.http_referer#

</cfmail>

<cfcontent type="image/gif" file="d:\r00t\ad\banners\neoplanet.gif" deletefile="No">

---

of course, keep in mind that if they don't accept/render HTML email (I personally disable HTML email by not using MS Outlook) then this won't work. but most webmail services (in this case the guys used mail.com) render HTML whether you want them to or not.

oh and as to how i got their email address, they put psuspectz@mail.com on their hack page.

--Brendan Avery / ba@brendanavery.com

At 04:49 PM 1/11/2001 -0500, you wrote: > > Um no you can't. > > > > The buffer underrun abends the logging process. > >Oh sorry. I am not a network administrator, so I was under the impression >that you could. Well then, where can I get this web bug you talk about and >what exactly is a buffer underrun in a log (i've only herd of the term when >burning cds). Is there any way to prevent a buffer underrun? > >--=@ greg @=-- >----- Original Message ----- >From: "Brendan Avery" <ba@brendanavery.com> >To: "CF-Talk" <cf-talk@houseoffusion.com> >Sent: Thursday, January 11, 2001 4:35 PM >Subject: Re: The +.htr bug strikes again > > > > Um no you can't. > > > > The buffer underrun abends the logging process. > > > > -b][a- > > > > At 04:16 PM 1/11/2001 -0500, you wrote: > > >You coulda just checked your logs and found their IP address that way >too. > > > > > >--=@ greg @=-- > > >----- Original Message ----- > > >From: "Brendan Avery" <ba@brendanavery.com> > > >To: "CF-Talk" <cf-talk@houseoffusion.com> > > >Sent: Thursday, January 11, 2001 3:33 PM > > >Subject: RE: The +.htr bug strikes again > > > > > > we got hit with an /iisadmpwd/*.htr bug hack a couple of days ago on a low-security machine. > > > > "prime suspectz ownz you" hack page. > > > > but i got their ADSL ip number after emailing them with a web bug. > > > > eeediots. > > > > --brendan avery / ba@brendanavery.com > > > > At 03:14 PM 1/11/2001 -0500, you wrote: >How does one test to see if the problem has be fixed? > >Won > >-----Original Message----- >From: Zachary Bedell [mailto:Aramis@adirondack.net] >Sent: Thursday, December 21, 2000 10:47 PM >To: CF-Talk >Subject: RE: The +.htr bug strikes again > > > > Someone should probably make an official "checklist" > > to run through when you setup a CF server. > >How about these additions to said checklist: > >In addition to removing the .htr mapping, also remove the mappings >for > > >any >other extensions that you won't be using on that server. > >Like: >htw -- unless you're using the WebHits highligher >ida, idq, htr, idc -- unless you're using old-style Index Server >access >asp, cer, cdx, asa -- unless you're also hosting ASP apps on that >server >shtm, shtml, stm -- unless you're using Server Side Include files >printer -- WTF is this and why did IIS install it for Win2k? > >You could probably also yank the dbm extension unless you have REALLY >old > > >CF >code lying around. > >Basically your goal is to DISABLE any functionality of your server >that >you're not currently using. The less junk you have running on the > > >server, >the less chance someone will find a bug in part of the server you >didn't >even know was there. > >Granted, there's a fine and arcane art to disabling just the right >things >without breaking any part of your server. You'd be best to play on a >production server that you can afford to trash & reinstall a few >times if >need be. Certainly, though, deleting extensions for file types not >used > > >in >your sites (or your customer's sites for webhosts) is completely safe >and > > >a >good idea in general. > >Best regards, >Zac Bedell > > > > > > > > > > >