Section 4.2. IP Addresses in URLs


4.2. IP Addresses in URLs

We expect a URL to include the hostname of a web server but we can just as easily use the numeric IP address in its place. http://208.12.16.5 and http://www.craic.com are completely equivalent. But most people don't remember the IP address of their own computer, let alone one for eBay or Citibank. Most people tend to assume that an IP address is valid, whereas a false hostname is more likely to arouse suspicion. Scammers exploit this and often use IP addresses in their URLs.

There is a second, perhaps more valuable, benefit to this approach. You can set up an account with an ISP, be assigned an IP address, and set up a web server without having registered a domain name. It makes it harder for people to find you, but because you are including the URL in your spam, that is not a problem. In fact, it is a significant advantage.

Here are a few examples:

  • http://202.87.128.138/sys/index.php

  • http://211.250.185.100/~bookmaul/.paypal/login.html

  • http://218.244.98.8/wamu

URLs with IP addresses may not work properly if the web server manages several virtual hosts. The hostname allows the server to direct you to the correct site, but the IP address is ambiguous, and you will see the first site in the server configuration file that matches that address.


4.2.1. Encoding the IP Address

The IP address alone is not a great disguise, so it is not surprising to see another layer of deception being added by encoding the address in some way.

The easiest approach is to encode the characters in the address in hexadecimal as we did earlier. In this way http://208.12.16.5 becomes http://%32%30%38%2e%31%32%2e%31%36%2e%35.

An interesting alternative is to change the representation of the IP address itself. You can think of a dotted-quad address as a number in base 256, in which the four parts become four successive digits. We can convert this to standard decimal number. If the address has the form A.B.C.D, then the decimal form is calculated thus:

     A*(256**3) + B*(256**2) + C*256 + D 

So 208.12.16.5 becomes:

     (208 * 16777216) + (12 * 65536) + (16 * 256) + 5 = 3490451461 

Give this a try: http://3490451461

You don't see this very often in practice, probably because it doesn't work in Internet Explorer, but it does work in Firefox on Mac OS X.

Finally, if you want to get really cryptic, you can encode each part of a dotted-quad address in octal, precede the numbers with a zero, and separate those with periods. In this form, the address 208.12.16.5 becomes 0320.0014.0020.0005.

Example 4-3 provides a Perl script to encode a numeric IP address in octal, and the script in Example 4-4 performs the reverse transformation. It is rare to find octal URLs in spam emails, but they do occur and are functional in Safari on Mac OS X.

Example 4-3. encode_octal_url.pl
 #!/usr/bin/perl -w die "Usage: $0 <dotted quad IP addr>\n" unless @ARGV == 1; my @words = (  ); foreach my $word (split /\./, $ARGV[0]) {    push @words, sprintf "0%03lo", $word; } printf "%s\n", join '.', @words; 

Example 4-4. decode_octal_url.pl
 #!/usr/bin/perl -w die "Usage: $0 <octal encoded URL>\n" unless @ARGV == 1; $ARGV[0] =~ s/(0\d\d\d)/oct $1/ge; print $ARGV[0] . "\n"; 



Internet Forensics
Internet Forensics
ISBN: 059610006X
EAN: 2147483647
Year: 2003
Pages: 121

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net