Yesterday we posted a diary entry about mystery URLs found in some Apache logs. We received many responses, and several readers pointed out that the strings are probably obfuscations of dotted-quad IP addresses. A few readers suggested that since the strings are nine numbers they could be US Social Security Numbers (for those outside the USA, we keep track of all our citizens through a system that is "not" supposed to be a national identity but has become one out of convenience; the nine-digit number is represented as XXX-YY-ZZZZ and the XXX part is a reference code to the general part of the USA you were in when you registered for the number.) I'll give you my theory about the mystery URLs in a moment.
The Social Security Number (SSN) comments got me to thinking about a couple of things. First, since the highest SSN is 999-99-9999, what dotted-quad IP address does that convert to? Let's see.... There are two ways to do this, one easier than the other. Let's do the easy version first:
sachs ~> ping 999999999
So we see that "999999999" converts to "188.8.131.52" but why? The answer to this may be a review for many readers, but others are learning by reading diaries so here goes. This would be "the hard way" if the method above is "the easy way."
Internet Protocol (IP) addresses can be expressed in many different ways. Reader Colin sent us a note this past week pointing this out, and asked why so many methods are available particularly since so many users are easily confused and fooled by numbers other than the standard dotted quad. Let's take the IP address above. We already know two ways to express it:
But why? Well, the IP address in IP Version 4 (IPv4) is defined as a 32-bit field in the IP header. (See RFC 791 for all of the gory details.) A 32-bit number can be expressed in many forms, of which the dotted quad is the most common. To get to a dotted-quad, you start with the 32 bits in their binary form
00111011 10011010 11001001 11111111then convert the binary to hex
then covert the four hex numbers into decimals in the range of 0-255 and insert dots where there spaces used to be
3B 9A C9 FF
184.108.40.206To make this really fun, you can ping an IP address (or use one of these notations in a URL) in many ways. All of the following are equivalent:
OK, so enough fun. Back to where we started. What was the meaning of the mystery URLs? I've got a hunch - this is probably some spyware causing infected machines (or clueless users opening bugged spam) to connect to a web server under the control of the hacker/spammer/evil-doer. The evil one then looks at the logs via her sneaky back door account and can compare the name of the files requested (which do not have to exist) against a list of tracking numbers to see who actually opens the spam or activates the spyware. Now the evil one has a list of "good" email addresses and a bonus - a live IP address that might yield additional value due to the level of clue coming from the operator. That's not necessarily the final answer, just a hunch....
Octal ~> ping 07346544777
As for the SSN stuff, you can go the other way. IP addresses below 220.127.116.11 are the only ones you can use, but that's just under one-fourth of the Internet so plenty of room to play. Just for fun, somebody in the USA probably has the SSN of 301-85-9767 but has no idea what web site answers to the dotted-quad equivalent. Care to find out?
Marcus H. Sachs
Handler on Duty
Jul 2nd 2006
1 decade ago