Forum Moderators: phranque

Message Too Old, No Replies

Weferer ?

unknown HTTP header variable

         

PsychoTekk

3:09 pm on Apr 30, 2002 (gmt 0)

10+ Year Member



for some months now occasionally this variable
shows up in my logs, but what's it for?
the data it contains is a string, all capital letters,
so i don't think it's base64 encoded.
also it's always from the same ip (Genuity [genuity.com], Netblock NET-GNTY-4-0)
there is no RFC spec about it either, seems to be a non-standart var
any ideas?

Brett_Tabke

6:52 pm on Jun 14, 2002 (gmt 0)

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month



Can't say as I have seen that one. I've been logging headers for about a week here and every thing is just ducky. That's a fairly common tactic though for custom software to use a custom header trigger.

PsychoTekk

7:06 pm on Jun 14, 2002 (gmt 0)

10+ Year Member



i wonder because i lately saw also win xp users from germany send the
weferer variable... i can't see any common details about all the hits
containing weferer

littleman

7:25 pm on Jun 14, 2002 (gmt 0)



I have see this a lot, it is always some type of random letter string.
Like this:
HTTP_Weferer = QZAAFXISHJEXXIMQZUIVOTQNQEMSFDULHPQQWOYIYZUNNYCGPKYLEJGDGVCJVTLBXFGGMEPYOQKEDOTWFAOBUZXUWLSZLKBRNVWWCUFPE
HTTP_Weferer = LEJGDGVCJVTLBXFGGMEPYOQKEDOTWFAOBUZXUWLSZLKBRNVWWCUFPEGAUTFJMVRESKPNKMBIPBARHDMNNSKVFVWRKJVZCMHVIBGDADRZFSQHYUCDDJBLVLMHAALPTCXLYRWTQTIPWIGYOKSTTZRCLBDXRQBGJSNBOHMKHJYFMYXOEAIJJPHSCR
HTTP_Weferer = HDMNNSKVFVWRKJVZCMHVIBGDADRZFSQHYUCDDJBLVLMHAALPTCXLYRWTQTIPWIGYOKSTTZRCLBDXRQBGJSNBOHMK

I think it is given by some proxy servers for pseudo tractability.

jdMorgan

7:34 pm on Jun 14, 2002 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Sounds like a "forged" header... Note that "W" is right next to "E", and on the opposite side from "R" on the keyboard - It may be just a common typo. I'd look for other signs in case they may be up to no good... Scraping e-mail addys or digging for emailforms.pl, etc.

Jim

littleman

7:44 pm on Jun 14, 2002 (gmt 0)



I think it is an encrypted referrer used in some anonymizer programs/proxies.

Possible use would be reverse tractability if needed -- for law enforcement and such. I don't think it is not a typo, it is too common and always has this pattern.

PsychoTekk

7:48 pm on Jun 14, 2002 (gmt 0)

10+ Year Member



littleman, are those the original entries from your logfiles?
mine are about half that long, always the same length
HTTP_WEFERER: MBIPBARHDMNNSKVFVWRKJVZCM (windows 2000, dialup US)
HTTP_WEFERER: DMNNSKVFVWRKJVZCMHVIBGDAD (win xp, hansenet dsl, DE)
(these ones are from this months' logfile which is on the server,
i can't check all entries now cause i'm not at my machine atm)

richlowe

7:49 pm on Jun 14, 2002 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Check this:

[phpbuilder.com...]

I think it has the answer.

Richard Lowe

PsychoTekk

7:53 pm on Jun 14, 2002 (gmt 0)

10+ Year Member



I think it is an encrypted referrer used in some anonymizer programs/proxies.

if so, the proxies are high anon proxies, no sign of proxy use in those
logentries where weferer shows up
...hm i can't tell if i make sense right now, it's already some glasses vodka
done this evening... :)

jdMorgan

7:54 pm on Jun 14, 2002 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Thanks Rich,

But maybe the Elmer Fudd theory is correct!

Jim

PsychoTekk

7:57 pm on Jun 14, 2002 (gmt 0)

10+ Year Member



man i'm slow at typing...
nice find richlowe!
but it's saaid there it was a random set...
i dont think so, if the variable did not make sense they
would probably just leave it away - there must be a way to decrypt
it
anyways, it seems to be an encrypted referer string, this statisfies my
curiosity atm
thanks yall :)

littleman

7:58 pm on Jun 14, 2002 (gmt 0)



Psych, I bet your log entries are being truncated. I collect header information, that is from raw header entries.

Rich, yeah, basically my understanding.

PsychoTekk

8:10 pm on Jun 14, 2002 (gmt 0)

10+ Year Member



well i'm a header geek and i log the entries using my lil lovely
perl script, they are not trunceted
..k, time to leave wmw for party, wmw is not the right
place to talk while being drunk :)
have a nice weekend everybody!

Marcia

9:12 pm on Jun 14, 2002 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



littleman, you made this thwead scwoll sideways, you should wepaiw it.

toadhall

4:59 am on Jun 19, 2002 (gmt 0)

10+ Year Member



My, things cewtainly aw getting intewesting 'wound hewe:

$ENV{'HTTP_WSER_AGENT'}=YXOEAIJJPHSCRTNHGSWZIDRE
XCAXZOWCONEUQZAAFXISHJ

saurabh

2:51 pm on Aug 9, 2002 (gmt 0)

10+ Year Member



I am 100% sure Norton Firewall does this. Why? I am not sure!
I'll check Symantec site and if I get some info I'll post it here.