I took a look. That domain is acting as a 2-hop open web proxy. The first hop routes through a VPS in New York. The second hop routes through a (dedicated?) server in Montreal. The New York VPS is running nginx as a reverse proxy with no caching. The Montreal server is running Mr9.SM, which looks like an online fraud toolkit built on top of a web proxy back end. On the same server, there is an exposed MongoDB interface that is leaking data that should not be leaked.
There are other domains that are also using these two servers as a 2-hop open web proxy (the domains and two servers are most likely managed by the same entity, since the setup requires coordination). A small sample (rot13ed to stop bots from picking them up):
nqbivan.pbz
pbaqbefubrf.pbz
qbjaybnqjvaqbjf8.zr
serrcfq.zr
ccggrzcyngrf.zr
jvaqbjfqbjaybnq.zr
Strangely, I wasn’t able to figure out what fraud is being attempted. I expected to see cookie stuffing, but there was no sign of that—the only thing added to each page is a javascript StatCounter tracker. Phishing seems unlikely given the rather conspicuous domain names… but I suppose many users still fall for that. I don’t understand why a 2-hop design is used, especially since nginx is not being used to cache anything. If anyone figures out what’s going on, I would be very interested to hear about it.
“Peering Into Peer Review”, 2014 (linked from http://pipeline.corante.com/archives/2014/02/20/the_nih_takes_a_look_at_how_the_moneys_spent.php and apparently the fulltext is at http://sciencemag.lovefuck.me/content/343/6171/596.short—no, I don’t understand either why Science is now being hosted on
lovefuck.meeither. There are many things in this world I don’t understand.)Here.
I took a look. That domain is acting as a 2-hop open web proxy. The first hop routes through a VPS in New York. The second hop routes through a (dedicated?) server in Montreal. The New York VPS is running nginx as a reverse proxy with no caching. The Montreal server is running Mr9.SM, which looks like an online fraud toolkit built on top of a web proxy back end. On the same server, there is an exposed MongoDB interface that is leaking data that should not be leaked.
There are other domains that are also using these two servers as a 2-hop open web proxy (the domains and two servers are most likely managed by the same entity, since the setup requires coordination). A small sample (rot13ed to stop bots from picking them up):
nqbivan.pbz
pbaqbefubrf.pbz
qbjaybnqjvaqbjf8.zr
serrcfq.zr
ccggrzcyngrf.zr
jvaqbjfqbjaybnq.zr
Strangely, I wasn’t able to figure out what fraud is being attempted. I expected to see cookie stuffing, but there was no sign of that—the only thing added to each page is a javascript StatCounter tracker. Phishing seems unlikely given the rather conspicuous domain names… but I suppose many users still fall for that. I don’t understand why a 2-hop design is used, especially since nginx is not being used to cache anything. If anyone figures out what’s going on, I would be very interested to hear about it.
Thanks for the paper. Mysterious indeed.