Created
June 13, 2012 17:19
-
-
Save littlefyr/2925346 to your computer and use it in GitHub Desktop.
Tracking down Mobgifts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| It seems that mobgifts is taking over sites when you browse to them with an android phone. I've tracked down the problem to ads served up via the adnxs.com and trafficserv.info domains. | |
| To determine this I did the following on my desktop: | |
| * configured Chrome to use an andriod user agent | |
| ** Mozilla/5.0 (Linux; U; Android 2.3.6; en-us; Nexus S Build/GRK39F) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 | |
| * opened the inspector and set the net panel to persist. | |
| * requested a page known to have the problem | |
| * exported the contents of the net tab to a HTTP Archive json | |
| * wrote a script (below) to rerun the requests and dump out the contents | |
| I managed to follow the culprits back as far as I can. I can't find a reference to the first adnxs.com request be because the request that resulted in that one returned a different result (as ad networks tend to do). |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ------------------------------ http://ib.adnxs.com/ab?enc=m98w0SAFAECfJzMYAoT8PwAAAGBmZv4_nyczGAKE_D-c3zDRIAUAQC8JMsn8qTFfSs6N3NhwCFl_s9hPAAAAAPq4CwBKAAAAtAMAAAIAAAAsihcAOkwCAAEAAABVU0QAVVNEACwB-gBqXbcArCcBAgUCAQQAAIIAsSF0WQAAAAA.&tt_code=29977&cnd=%21LSAdmwiJ9BEQrJReGAAgupgJMAA46roFQABItAdQ-vEuWABgsgJoAHAAeACAAQCIAQCQAQGYAQGgAQGoAQOwAQC5AZ6ZTw0hBQBAwQGemU8NIQUAQMkBwobaXvrc8D_ZAQAAAAAAAPA_4AEA&udj=uf%28%27a%27%2C+43565%2C+1339601791%29%3Buf%28%27c%27%2C+293385%2C+1339601791%29%3Buf%28%27g%27%2C+121998%2C+1339601791%29%3Buf%28%27r%27%2C+1542700%2C+1339601791%29%3B&ccd=%212ARpKAiJ9BEQrJReGLqYCSAA&referrer=http%3A%2F%2Fwww.merrittnews.net%2Fapps%2Fpbcs.dll%2Fsection%3Fcategory%3Dmerritt&media_subtypes=1&dlo=1&pp=0.8545 ------------------------------ | |
| Headers: {"cache-control"=>["no-store, no-cache, private"], "pragma"=>["no-cache"], "expires"=>["Sat, 15 Nov 2008 16:00:00 GMT"], "p3p"=>["policyref=\"http://cdn.adnxs.com/w3c/policy/p3p.xml\", CP=\"NOI DSP COR ADM PSAo PSDo OURo SAMo UNRo OTRo BUS COM NAV DEM STA PRE\""], "x-xss-protection"=>["0"], "set-cookie"=>["sess=1; path=/; expires=Thu, 14-Jun-2012 16:37:12 GMT; domain=.adnxs.com; HttpOnly", "anj=Kfu=8fG5EfCxrx)0s]#%2L_'x%SEV/hnKD(8Ep.IKj/ji_$y-sPx$gz^c0dP; path=/; expires=Tue, 11-Sep-2012 16:37:12 GMT; domain=.adnxs.com; HttpOnly"], "connection"=>["close"], "content-type"=>["text/javascript"], "date"=>["Wed, 13 Jun 2012 16:37:12 GMT"], "content-length"=>["1049"]} | |
| document.write('<iframe frameborder="0" width="300" height="250" marginheight="0" marginwidth="0" target="_blank" scrolling="no" src="http://ib.adnxs.com/if?enc=bCkYjj257j_y0k1iEFjrPwAAAGBmZv4_nyczGAKE_D-c3zDRIAUAQC8JMsn8qTFfSs6N3NhwCFl_s9hPAAAAAPq4CwBKAAAAtAMAAAIAAAAsihcAOkwCAAAAAABVU0QAVVNEACwB-gBqXbcArCcBAgUCAQQAAIIAYSO6HwAAAAA.&tt_code=29977&cnd=%21LSAdmwiJ9BEQrJReGAAgupgJMAA46roFQABItAdQ-vEuWABgsgJoAHAAeACAAQCIAQCQAQGYAQGgAQGoAQOwAQC5AZ6ZTw0hBQBAwQGemU8NIQUAQMkBwobaXvrc8D_ZAQAAAAAAAPA_4AEA&udj=uf%28%27a%27%2C+43565%2C+1339601791%29%3Buf%28%27c%27%2C+293385%2C+1339601791%29%3Buf%28%27g%27%2C+121998%2C+1339601791%29%3Buf%28%27r%27%2C+1542700%2C+1339601791%29%3B&ccd=%212ARpKAiJ9BEQrJReGLqYCSAA&referrer=http%3A%2F%2Fwww.merrittnews.net%2Fapps%2Fpbcs.dll%2Fsection%3Fcategory%3Dmerritt&media_subtypes=1&dlo=1"></iframe>');document.write('<iframe src="http://view.atdmt.com/iaction/adoapn_AppNexusDemoActionTag_1" width="1" height="1" frameborder="0" scrolling="No" marginheight="0" marginwidth="0" topmargin="0" leftmargin="0"></iframe>'); | |
| ------------------------------ http://ib.adnxs.com/if?enc=bCkYjj257j_y0k1iEFjrPwAAAGBmZv4_nyczGAKE_D-c3zDRIAUAQC8JMsn8qTFfSs6N3NhwCFl_s9hPAAAAAPq4CwBKAAAAtAMAAAIAAAAsihcAOkwCAAAAAABVU0QAVVNEACwB-gBqXbcArCcBAgUCAQQAAIIAYSO6HwAAAAA.&tt_code=29977&cnd=%21LSAdmwiJ9BEQrJReGAAgupgJMAA46roFQABItAdQ-vEuWABgsgJoAHAAeACAAQCIAQCQAQGYAQGgAQGoAQOwAQC5AZ6ZTw0hBQBAwQGemU8NIQUAQMkBwobaXvrc8D_ZAQAAAAAAAPA_4AEA&udj=uf%28%27a%27%2C+43565%2C+1339601791%29%3Buf%28%27c%27%2C+293385%2C+1339601791%29%3Buf%28%27g%27%2C+121998%2C+1339601791%29%3Buf%28%27r%27%2C+1542700%2C+1339601791%29%3B&ccd=%212ARpKAiJ9BEQrJReGLqYCSAA&referrer=http%3A%2F%2Fwww.merrittnews.net%2Fapps%2Fpbcs.dll%2Fsection%3Fcategory%3Dmerritt&media_subtypes=1&dlo=1 ------------------------------ | |
| Headers: {"cache-control"=>["no-store, no-cache, private"], "pragma"=>["no-cache"], "expires"=>["Sat, 15 Nov 2008 16:00:00 GMT"], "p3p"=>["policyref=\"http://cdn.adnxs.com/w3c/policy/p3p.xml\", CP=\"NOI DSP COR ADM PSAo PSDo OURo SAMo UNRo OTRo BUS COM NAV DEM STA PRE\""], "x-xss-protection"=>["0"], "set-cookie"=>["sess=1; path=/; expires=Thu, 14-Jun-2012 16:37:12 GMT; domain=.adnxs.com; HttpOnly", "anj=Kfu=8fG6Q/Cxrx)0s]#%2L_'x%SEV/^U7g%1P6-Z; path=/; expires=Tue, 11-Sep-2012 16:37:12 GMT; domain=.adnxs.com; HttpOnly"], "connection"=>["close"], "content-type"=>["text/html; charset=utf-8"], "date"=>["Wed, 13 Jun 2012 16:37:12 GMT"], "content-length"=>["145"]} | |
| <IFRAME FRAMEBORDER=0 MARGINWIDTH=0 MARGINHEIGHT=0 SCROLLING=NO WIDTH=300 HEIGHT=250 SRC="http://trafficserv.info/mobile/300x250av.php"></IFRAME> | |
| ------------------------------ http://trafficserv.info/mobile/300x250av.php ------------------------------ | |
| Headers: {"server"=>["nginx/0.8.54"], "date"=>["Wed, 13 Jun 2012 16:36:51 GMT"], "content-type"=>["text/html"], "connection"=>["close"], "x-powered-by"=>["PHP/5.2.17"], "location"=>["300x250av_ca.php"], "content-length"=>["0"]} | |
| ------------------------------ http://trafficserv.info/mobile/300x250av_ca.php ------------------------------ | |
| Headers: {"server"=>["nginx/0.8.54"], "date"=>["Wed, 13 Jun 2012 16:37:04 GMT"], "content-type"=>["text/html"], "connection"=>["close"], "x-powered-by"=>["PHP/5.2.17"], "content-length"=>["264"]} | |
| <script> | |
| if (top.location != self.location) { | |
| top.location = "http://my.blueads.com/adclick.php?pid=396&wmid=384&nvc=1&ord=[timestamp]"; | |
| } | |
| </script> | |
| <p><a target="_blank" href="click.php"> | |
| <img border="0" src="300x250.gif" width="300" height="250"></a> | |
| </p> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| require 'json' | |
| require 'net/http' | |
| require 'pp' | |
| require 'uri' | |
| x = File.open("./har.json") { |f| JSON.load(f)} | |
| x["log"]["entries"].each do |entry| | |
| data = entry['request'] | |
| puts "#{'-' * 30} #{data['url']} #{'-' * 30}" | |
| next if data['url'] == 'about:blank' | |
| uri = URI(data['url']) | |
| req = Net::HTTP::Get.new(uri.request_uri) | |
| data['headers'].each do |header| | |
| req[header["name"]] = header["value"] unless ['Cookie', 'Accept-Encoding'].include?(header["name"]) | |
| end | |
| begin | |
| res = Net::HTTP.start(uri.host, uri.port) {|http| | |
| http.request(req) | |
| } | |
| puts "Headers: #{res.to_hash.inspect}\n" | |
| puts puts res.body | |
| rescue Exception => e | |
| puts "Exception: " | |
| pp e | |
| end | |
| end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment