Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Number Theory - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Number Theory
Yesterday we posted a diary entry about mystery URLs found in some Apache logs.  We received many responses, and several readers pointed out that the strings are probably obfuscations of dotted-quad IP addresses.   A few readers suggested that since the strings are nine numbers they could be US Social Security Numbers (for those outside the USA, we keep track of all our citizens through a system that is "not" supposed to be a national identity but has become one out of convenience; the nine-digit number is represented as XXX-YY-ZZZZ and the XXX part is a reference code to the general part of the USA you were in when you registered for the number.)  I'll give you my theory about the mystery URLs in a moment.

The Social Security Number (SSN) comments got me to thinking about a couple of things.  First, since the highest SSN is 999-99-9999, what dotted-quad IP address does that convert to?  Let's see....   There are two ways to do this, one easier than the other.  Let's do the easy version first:
sachs ~> ping 999999999
PING 999999999 (59.154.201.255): 56 data bytes
^C
--- 999999999 ping statistics ---
16 packets transmitted, 0 packets received, 100% packet loss
sachs ~>

So we see that "999999999" converts to "59.154.201.255" but why?  The answer to this may be a review for many readers, but others are learning by reading diaries so here goes.  This would be "the hard way" if the method above is "the easy way."

Internet Protocol (IP) addresses can be expressed in many different ways.  Reader Colin sent us a note this past week pointing this out, and asked why so many methods are available particularly since so many users are easily confused and fooled by numbers other than the standard dotted quad.  Let's take the IP address above.  We already know two ways to express it:

Decimal        999999999
Dotted Quad   59.154.201.255
But why?  Well, the IP address in IP Version 4 (IPv4) is defined as a 32-bit field in the IP header.  (See RFC 791 for all of the gory details.)  A 32-bit number can be expressed in many forms, of which the dotted quad is the most common.  To get to a dotted-quad, you start with the 32 bits in their binary form
00111011 10011010 11001001 11111111
then convert the binary to hex
3B 9A C9 FF
then covert the four hex numbers into decimals in the range of 0-255 and insert dots where there spaces used to be
59.154.201.255
To make this really fun, you can ping an IP address (or use one of these notations in a URL) in many ways.  All of the following are equivalent:

Octal                           ~> ping 07346544777
Decimal                      ~> ping 999999999
Hex                         ~> ping 0x3b9ac9ff
Dotted Quad                     ~> ping 59.154.201.255
Dotted Quad with hex           ~> ping 0x3b.0x9a.0xc9.0xff
Dotted Quad with octal         ~> ping 073.0232.0311.0377
Dotted Quad with hex and octal  ~> ping 0x3b.0c9a.0311.0377
Dotted three-quarter-Quad       ~> ping 59.154.51711
OK, so enough fun.  Back to where we started.  What was the meaning of the mystery URLs?  I've got a hunch - this is probably some spyware causing infected machines (or clueless users opening bugged spam) to connect to a web server under the control of the hacker/spammer/evil-doer.  The evil one then looks at the logs via her sneaky back door account and can compare the name of the files requested (which do not have to exist) against a list of tracking numbers to see who actually opens the spam or activates the spyware.  Now the evil one has a list of "good" email addresses and a bonus - a live IP address that might yield additional value due to the level of clue coming from the operator.  That's not necessarily the final answer, just a hunch....

As for the SSN stuff, you can go the other way.  IP addresses below 59.154.201.255 are the only ones you can use, but that's just under one-fourth of the Internet so plenty of room to play.  Just for fun, somebody in the USA probably has the SSN of 301-85-9767 but has no idea what web site answers to the dotted-quad equivalent.  Care to find out?


Marcus H. Sachs
Handler on Duty

Marcus

301 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!