[nSLUG] Annoying Eastlink Notices

Daniel AJ Sokolov daniel at falco.ca
Sun Feb 28 12:21:05 AST 2016


On 2016-02-28 at 11:22, Gurjeet Clair wrote:
> No prob. However from a professional POV I was wondering if it's
> possible to grab a pcap of the session where a notice gets injected?

On my most recent notice, which appeared when I was browsing
harvard.edu, I recorded the HTTP headers. These four stick out. Would
that help?

GET /universal/IpEngine_v71.js HTTP/1.1
Host: az452423.vo.msecnd.net
Accept: */*
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6
DNT: 1
Origin: http://news.harvard.edu
Referer:
http://news.harvard.edu/gazette/story/2016/02/a-religion-course-for-the-internet-age/
SecurityToken: a2dba0ce-778c-4fc1-81bf-42c8235a9d2e
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,
like Gecko) Ubuntu Chromium/48.0.2564.116 Chrome/48.0.2564.116 Safari/537.36

HTTP/1.1 302 Found
Location:
http://24.222.0.93/dyn/bg/Movable_Copyright_Eastlink_v2/index.js?policy=10&webServer=http://24.222.0.93&url=http%3A%2F%2Faz452423.vo.msecnd.net%2Funiversal%2FIpEngine_v71.js



GET
/dyn/bg/Movable_Copyright_Eastlink_v2/index.js?policy=10&webServer=http://24.222.0.93&url=http%3A%2F%2Faz452423.vo.msecnd.net%2Funiversal%2FIpEngine_v71.js
HTTP/1.1
Host: 24.222.0.93
Accept: */*
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6
DNT: 1
Referer:
http://news.harvard.edu/gazette/story/2016/02/a-religion-course-for-the-internet-age/
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,
like Gecko) Ubuntu Chromium/48.0.2564.116 Chrome/48.0.2564.116 Safari/537.36

HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Connection: close
Content-Length: 25327
Content-Type: application/x-javascript
Date: Sun, 28 Feb 2016 03:58:53 GMT
Expires: -1
Last-Modified: Fri, 12 Jun 2015 16:38:46 GMT
Pragma: no-cache
Server: PerfTech



GET /ius-76ebdeea04cf3415fce2e5af20c935b7/31790_635906469390136922 HTTP/1.1
Host: az452423.vo.msecnd.net
Accept: */*
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6
DNT: 1
Referer:
http://news.harvard.edu/gazette/story/2016/02/a-religion-course-for-the-internet-age/
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,
like Gecko) Ubuntu Chromium/48.0.2564.116 Chrome/48.0.2564.116 Safari/537.36

HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: x-ms-blob-cache-control: public, max-age=900
Content-Encoding: gzip
Content-Length: 532
Content-MD5: mdaYXXc9Kt9cY8eDWtCFgw==
Content-Type: application/javascript
Date: Sun, 28 Feb 2016 03:58:54 GMT
Etag: 0x8D33190928B2C76
Last-Modified: Tue, 09 Feb 2016 20:35:39 GMT
Server: ECAcc (lga/133F)
Vary: Accept-Encoding
X-Cache: HIT
x-ms-blob-type: BlockBlob
x-ms-lease-status: unlocked
x-ms-request-id: ca2cba9c-0001-0045-55da-71be00000000
x-ms-version: 2009-09-19


GET
/cgi-bin/notify?status=0&policy=10&webServer=http%3A%2F%2F24.222.0.93
HTTP/1.1
Host: 24.222.0.93
Accept: */*
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6
DNT: 1
Referer:
http://news.harvard.edu/gazette/story/2016/02/a-religion-course-for-the-internet-age/
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,
like Gecko) Ubuntu Chromium/48.0.2564.116 Chrome/48.0.2564.116 Safari/537.36

HTTP/1.1 204 No Content
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Connection: close
Content-Length: 0
Content-Type: text/html; charset=iso-8859-1
Date: Sun, 28 Feb 2016 03:58:56 GMT
Expires: -1
Pragma: no-cache
Server: PerfTech




More information about the nSLUG mailing list